[SECURITY-1338] Prevent unsandboxed invocation of constructors

jenkinsci · Feb 27, 2019 · 40777c2 · 40777c2
1 parent c536a7c
commit 40777c2
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/pom.xml b/pom.xml
@@ -53,7 +53,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>script-security</artifactId>
-            <version>1.50</version>
+            <version>1.54</version>
         </dependency>
     </dependencies>
 

diff --git a/src/main/java/hudson/plugins/groovy/StringScriptSource.java b/src/main/java/hudson/plugins/groovy/StringScriptSource.java
@@ -1,6 +1,5 @@
 package hudson.plugins.groovy;
 
-import groovy.lang.GroovyShell;
 import hudson.Extension;
 import hudson.FilePath;
 import hudson.model.BuildListener;
@@ -9,10 +8,10 @@
 import hudson.util.FormValidation;
 
 import java.io.IOException;
-import org.codehaus.groovy.control.CompilationFailedException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Groovy script specified by command string.
@@ -63,16 +62,12 @@ public String getDisplayName() {
             return "Groovy command";
         }
 
+        @RequirePOST
         public FormValidation doCheckScript(@QueryParameter String command) {
             if (command == null || command.trim().isEmpty())
                 return FormValidation.error("Script seems to be empty string!");
 
-            try {
-                new GroovyShell(GroovySandbox.createSecureCompilerConfiguration()).parse(command);
-                return FormValidation.ok("So far so good");
-            } catch (CompilationFailedException e) {
-                return FormValidation.error(e.getMessage());
-            }
+            return GroovySandbox.checkScriptForCompilationErrors(command, null);
         }
     }
 }
diff --git a/src/test/java/hudson/plugins/groovy/StringScriptSourceTest.java b/src/test/java/hudson/plugins/groovy/StringScriptSourceTest.java
@@ -24,12 +24,14 @@
 
 package hudson.plugins.groovy;
 
+import hudson.util.FormValidation;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 
@@ -58,4 +60,17 @@ public void blockGrab() throws Exception {
         assertThat(d.doCheckScript("@Grab(group='foo', module='bar', version='1.0')\ndef foo\n").toString(),
                 containsString("Annotation Grab cannot be used in the sandbox"));
     }
+
+    @Issue("SECURITY-1338")
+    @Test
+    public void doNotExecuteConstructors() throws Exception {
+        StringScriptSource.DescriptorImpl d = j.jenkins.getDescriptorByType(StringScriptSource.DescriptorImpl.class);
+        assertThat(d.doCheckScript("class DoNotRunConstructor {\n" +
+            "  static void main(String[] args) {}\n" +
+            "  DoNotRunConstructor() {\n" +
+            "    assert jenkins.model.Jenkins.instance.createProject(hudson.model.FreeStyleProject, 'should-not-exist')\n" +
+            "  }\n" +
+            "}\n").kind, equalTo(FormValidation.Kind.OK)); // Compilation ends before the constructor is invoked.
+        assertNull(j.jenkins.getItem("should-not-exist"));
+    }
 }