Skip to content

Commit

Permalink
Merge pull request #6 from jglick/className-JENKINS-68544
Browse files Browse the repository at this point in the history
[JENKINS-68544] `\Q…\E` unsafe if input might contain `\E`
  • Loading branch information
jglick authored Jun 6, 2022
2 parents 3a7f422 + d8d6810 commit aafc25d
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
import java.util.logging.Logger;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.util.regex.Pattern;
import org.apache.commons.io.IOUtils;
import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
import org.jenkinsci.plugins.workflow.cps.GlobalVariable;
Expand Down Expand Up @@ -322,7 +323,7 @@ private static String readResource(FilePath file, @CheckForNull String encoding)
continue;
}
for (FilePath groovy : root.list("**/*.groovy")) {
String clazz = groovy.getRemote().replaceFirst("^\\Q" + root.getRemote() + "\\E[/\\\\](.+)[.]groovy", "$1").replace('/', '.').replace('\\', '.');
String clazz = className(groovy.getRemote(), root.getRemote());
scripts.put(clazz, groovy.readToString()); // TODO no idea what encoding the Groovy compiler uses
}
}
Expand All @@ -335,6 +336,10 @@ private static String readResource(FilePath file, @CheckForNull String encoding)
return scripts;
}

static String className(String groovy, String root) {
return groovy.replaceFirst("^" + Pattern.quote(root) + "[/\\\\](.+)[.]groovy", "$1").replace('/', '.').replace('\\', '.');
}

}

@Extension public static class Copier extends FlowCopier.ByRun {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,10 @@
import hudson.model.Result;
import hudson.plugins.git.BranchSpec;
import hudson.plugins.git.GitSCM;
import hudson.plugins.git.SubmoduleConfig;
import hudson.plugins.git.UserRemoteConfig;
import hudson.plugins.git.extensions.GitSCMExtension;
import hudson.slaves.WorkspaceList;
import hudson.scm.SubversionSCM;
import hudson.scm.ChangeLogSet;
import hudson.scm.SubversionSCM;
import hudson.slaves.WorkspaceList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
Expand All @@ -45,25 +43,28 @@
import jenkins.plugins.git.GitSampleRepoRule;
import jenkins.scm.impl.subversion.SubversionSCMSource;
import jenkins.scm.impl.subversion.SubversionSampleRepoRule;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
import org.jenkinsci.plugins.workflow.cps.GlobalVariable;
import org.jenkinsci.plugins.workflow.cps.global.GrapeTest;
import org.jenkinsci.plugins.workflow.cps.global.UserDefinedGlobalVariable;
import org.jenkinsci.plugins.workflow.cps.replay.ReplayAction;
import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.jenkinsci.plugins.workflow.job.WorkflowRun;
import static org.junit.Assert.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.BuildWatcher;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.TestExtension;
import org.jvnet.hudson.test.WithoutJenkins;
import org.jvnet.hudson.test.recipes.LocalData;

import static org.hamcrest.Matchers.nullValue;

public class LibraryAdderTest {

@ClassRule public static BuildWatcher buildWatcher = new BuildWatcher();
Expand Down Expand Up @@ -103,7 +104,7 @@ public class LibraryAdderTest {
new SCMRetriever(
new GitSCM(Collections.singletonList(new UserRemoteConfig(sampleRepo.fileUrl(), null, null, null)),
Collections.singletonList(new BranchSpec("${library.stuff.version}")),
false, Collections.<SubmoduleConfig>emptyList(), null, null, Collections.<GitSCMExtension>emptyList())));
null, null, Collections.emptyList())));
stuff.setDefaultVersion("master");
stuff.setImplicit(true);
GlobalLibraries.get().setLibraries(Collections.singletonList(stuff));
Expand Down Expand Up @@ -472,4 +473,12 @@ public void correctLibraryDirectoryUsedWhenResumingOldBuild() throws Exception {
r.assertLogContains("called Foo", b);
}

@Issue("JENKINS-68544")
@WithoutJenkins
@Test public void className() {
assertThat(LibraryAdder.LoadedLibraries.className("/path/to/lib/src/some/pkg/Type.groovy", "/path/to/lib/src"), is("some.pkg.Type"));
assertThat(LibraryAdder.LoadedLibraries.className("C:\\path\\to\\lib\\src\\some\\pkg\\Type.groovy", "C:\\path\\to\\lib\\src"), is("some.pkg.Type"));
assertThat(LibraryAdder.LoadedLibraries.className("C:\\path\\to\\Extra\\lib\\src\\some\\pkg\\Type.groovy", "C:\\path\\to\\Extra\\lib\\src"), is("some.pkg.Type"));
}

}

0 comments on commit aafc25d

Please sign in to comment.