private static void expectRejection( MatrixProject project, String combinationFilter, String signature) throws IOException { ScriptApproval scriptApproval = ScriptApproval.get(); assertEquals(Collections.emptySet(), scriptApproval.getPendingSignatures()); try { project.setCombinationFilter(combinationFilter); } catch (RejectedAccessException x) { assertEquals(Functions.printThrowable(x), signature, x.getSignature()); } Set<ScriptApproval.PendingSignature> pendingSignatures = scriptApproval.getPendingSignatures(); assertEquals(1, pendingSignatures.size()); assertEquals(signature, pendingSignatures.iterator().next().signature); scriptApproval.approveSignature(signature); assertEquals(Collections.emptySet(), scriptApproval.getPendingSignatures()); }
@Issue("SECURITY-125") @Test public void combinationFilterSecurity() throws Exception { MatrixProject project = j.createMatrixProject(); String combinationFilter = "jenkins.model.Jenkins.getInstance().setSystemMessage('hacked')"; expectRejection(project, combinationFilter, "staticMethod jenkins.model.Jenkins getInstance"); assertNull(j.jenkins.getSystemMessage()); expectRejection( project, combinationFilter, "method jenkins.model.Jenkins setSystemMessage java.lang.String"); assertNull(j.jenkins.getSystemMessage()); project.setCombinationFilter(combinationFilter); assertEquals("you asked for it", "hacked", j.jenkins.getSystemMessage()); }