private static void assertRejected(Whitelist whitelist, String expectedSignature, String script) {
try {
assertEvaluate(whitelist, "should be rejected", script);
} catch (RejectedAccessException x) {
assertEquals(x.getMessage(), expectedSignature, x.getSignature());
}
}
@Issue("JENKINS-25118")
@Test
public void primitiveTypes() throws Exception {
try {
assertEvaluate(new ProxyWhitelist(), "should fail", "'123'.charAt(1);");
} catch (RejectedAccessException x) {
assertNotNull(x.toString(), x.getSignature());
}
assertEvaluate(
new StaticWhitelist("method java.lang.CharSequence charAt int"), '2', "'123'.charAt(1);");
}
private static void expectRejection(
MatrixProject project, String combinationFilter, String signature) throws IOException {
ScriptApproval scriptApproval = ScriptApproval.get();
assertEquals(Collections.emptySet(), scriptApproval.getPendingSignatures());
try {
project.setCombinationFilter(combinationFilter);
} catch (RejectedAccessException x) {
assertEquals(Functions.printThrowable(x), signature, x.getSignature());
}
Set<ScriptApproval.PendingSignature> pendingSignatures = scriptApproval.getPendingSignatures();
assertEquals(1, pendingSignatures.size());
assertEquals(signature, pendingSignatures.iterator().next().signature);
scriptApproval.approveSignature(signature);
assertEquals(Collections.emptySet(), scriptApproval.getPendingSignatures());
}
/** Tests the proper interception of builder-like method. */
@Test
public void invokeMethod() throws Exception {
String script =
"def builder = new groovy.json.JsonBuilder(); builder.point { x 5; y 3; }; builder.toString()";
String expected = "{\"point\":{\"x\":5,\"y\":3}}";
assertEvaluate(new BlanketWhitelist(), expected, script);
// this whitelisting strategy isn't ideal
// see https://issues.jenkins-ci.org/browse/JENKINS-24982
assertEvaluate(
new ProxyWhitelist(
new AbstractWhitelist() {
@Override
public boolean permitsMethod(Method method, Object receiver, Object[] args) {
if (method.getName().equals("invokeMethod") && receiver instanceof JsonBuilder)
return true;
if (method.getName().equals("invokeMethod") && receiver instanceof Closure) {
Object d = ((Closure) receiver).getDelegate();
return d.getClass().getName().equals("groovy.json.JsonDelegate");
}
if (method.getName().equals("toString") && receiver instanceof JsonBuilder)
return true;
return false;
}
},
new StaticWhitelist(
"new groovy.json.JsonBuilder"
// "method groovy.json.JsonBuilder toString",
// "method groovy.json.JsonBuilder invokeMethod java.lang.String
// java.lang.Object"
)),
expected,
script);
try {
assertEvaluate(
new ProxyWhitelist(),
"should be rejected",
"class Real {}; def real = new Real(); real.nonexistent(42)");
} catch (RejectedAccessException x) {
String message = x.getMessage();
assertEquals(
message,
"method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object",
x.getSignature());
assertTrue(message, message.contains("Real nonexistent java.lang.Integer"));
}
}
@Test
public void propertiesAndGettersAndSetters() throws Exception {
String clazz = Clazz.class.getName();
assertEvaluate(
new StaticWhitelist("new " + clazz, "field " + clazz + " prop"),
"default",
"new " + clazz + "().prop");
assertEvaluate(
new StaticWhitelist("new " + clazz, "method " + clazz + " getProp"),
"default",
"new " + clazz + "().prop");
assertEvaluate(
new StaticWhitelist(
"new " + clazz, "field " + clazz + " prop", "method " + clazz + " getProp"),
"default",
"new " + clazz + "().prop");
assertRejected(
new StaticWhitelist("new " + clazz),
"field " + clazz + " prop",
"new " + clazz + "().prop");
assertEvaluate(
new StaticWhitelist(
"new " + clazz, "method " + clazz + " getProp", "field " + clazz + " prop"),
"edited",
"def c = new " + clazz + "(); c.prop = 'edited'; c.getProp()");
assertEvaluate(
new StaticWhitelist(
"new " + clazz,
"method " + clazz + " getProp",
"method " + clazz + " setProp java.lang.String"),
"edited",
"def c = new " + clazz + "(); c.prop = 'edited'; c.getProp()");
assertEvaluate(
new StaticWhitelist(
"new " + clazz,
"method " + clazz + " getProp",
"field " + clazz + " prop",
"method " + clazz + " setProp java.lang.String"),
"edited",
"def c = new " + clazz + "(); c.prop = 'edited'; c.getProp()");
assertRejected(
new StaticWhitelist("new " + clazz, "method " + clazz + " getProp"),
"field " + clazz + " prop",
"def c = new " + clazz + "(); c.prop = 'edited'; c.getProp()");
assertEvaluate(
new StaticWhitelist("new " + clazz, "method " + clazz + " getProp2"),
"default",
"new " + clazz + "().prop2");
assertRejected(
new StaticWhitelist("new " + clazz),
"method " + clazz + " getProp2",
"new " + clazz + "().prop2");
assertEvaluate(
new StaticWhitelist(
"new " + clazz,
"method " + clazz + " getProp2",
"method " + clazz + " setProp2 java.lang.String"),
"edited",
"def c = new " + clazz + "(); c.prop2 = 'edited'; c.getProp2()");
assertRejected(
new StaticWhitelist("new " + clazz, "method " + clazz + " getProp2"),
"method " + clazz + " setProp2 java.lang.String",
"def c = new " + clazz + "(); c.prop2 = 'edited'; c.getProp2()");
try {
assertEvaluate(
new StaticWhitelist("new " + clazz),
"should be rejected",
"new " + clazz + "().nonexistent");
} catch (RejectedAccessException x) {
assertEquals(null, x.getSignature());
assertEquals("unclassified field " + clazz + " nonexistent", x.getMessage());
}
try {
assertEvaluate(
new StaticWhitelist("new " + clazz),
"should be rejected",
"new " + clazz + "().nonexistent = 'edited'");
} catch (RejectedAccessException x) {
assertEquals(null, x.getSignature());
assertEquals("unclassified field " + clazz + " nonexistent", x.getMessage());
}
}