[SECURITY-257] Run Groovy and Jelly scripts only if approved or in se…

…cure sandbox.
jenkinsci · Apr 10, 2017 · 04efc23 · 04efc23
1 parent 26c9046
commit 04efc23
Show file tree

Hide file tree

Showing 60 changed files with 1,896 additions and 321 deletions.
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>2.21</version>
+        <version>2.23</version>
         <relativePath />
     </parent>
 
@@ -31,8 +31,7 @@
         <powermock.version>1.6.4</powermock.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <workflow.version>1.10</workflow.version>
-        <jenkins.version>1.609.2</jenkins.version>
-        <jenkins-test-harness.version>2.18</jenkins-test-harness.version>
+        <jenkins.version>1.625.3</jenkins.version>
         <java.level>7</java.level>
         <concurrency>2</concurrency>
         <argLine />
@@ -178,6 +177,11 @@
             <version>${workflow.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>script-security</artifactId>
+            <version>1.27</version>
+        </dependency>
 
         <!-- testing -->
         <dependency>
@@ -298,6 +302,14 @@
                     <arguments>-DskipTests=true</arguments>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.jenkins-ci.tools</groupId>
+                <artifactId>maven-hpi-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <compatibleSinceVersion>2.57.2</compatibleSinceVersion>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 

diff --git a/src/main/java/hudson/plugins/emailext/EmailExtTemplateAction.java b/src/main/java/hudson/plugins/emailext/EmailExtTemplateAction.java
@@ -1,10 +1,12 @@
 package hudson.plugins.emailext;
 
 import hudson.ExtensionList;
+import hudson.FilePath;
 import hudson.Plugin;
 import hudson.model.AbstractBuild;
 import hudson.model.AbstractProject;
 import hudson.model.Action;
+import hudson.plugins.emailext.plugins.content.AbstractEvalContent;
 import hudson.plugins.emailext.plugins.content.JellyScriptContent;
 import hudson.plugins.emailext.plugins.content.ScriptContent;
 import hudson.util.FormValidation;
@@ -18,6 +20,7 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
+import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -65,8 +68,13 @@ public FormValidation doTemplateFileCheck(@QueryParameter final String value) {
                 if(inputStream == null) {                
                     final File scriptsFolder = new File(Jenkins.getActiveInstance().getRootDir(), "email-templates");
                     final File scriptFile = new File(scriptsFolder, value);
-                    if(!scriptFile.exists()) {
-                        return FormValidation.error("The file '" + value + "' does not exist");
+                    try {
+                        if(!scriptFile.exists() || !AbstractEvalContent.isChildOf(new FilePath(scriptFile), new FilePath(scriptsFolder))) {
+                            return FormValidation.error("The file '" + value + "' does not exist");
+                        }
+                    } catch (IOException | InterruptedException e) {
+                        //Don't want to expose too much info to a potential file fishing attempt
+                        return FormValidation.error("I/O Error.");
                     }
                 }
             }

diff --git a/src/main/java/hudson/plugins/emailext/EmailType.java b/src/main/java/hudson/plugins/emailext/EmailType.java
@@ -5,6 +5,7 @@
 import hudson.plugins.emailext.plugins.recipients.DevelopersRecipientProvider;
 import hudson.plugins.emailext.plugins.recipients.ListRecipientProvider;
 import hudson.plugins.emailext.plugins.recipients.RequesterRecipientProvider;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.Whitelisted;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -96,27 +97,33 @@ public EmailType() {
         recipientProviders = new ArrayList<>();
     }
 
+    @Whitelisted
     public String getSubject() {
         return subject;
     }
 
+    @Whitelisted
     public void setSubject(String subject) {
         this.subject = subject;
     }
 
+    @Whitelisted
     public String getBody() {
         return body;
     }
 
+    @Whitelisted
     public void setBody(String body) {
         this.body = body;
     }
 
+    @Whitelisted
     public boolean getHasRecipients() {
         return (recipientProviders != null && !recipientProviders.isEmpty())
                 || (recipientList != null && recipientList.trim().length() != 0);
     }
 
+    @Whitelisted
     public String getRecipientList() {
         return recipientList != null ? recipientList.trim() : recipientList;
     }
@@ -141,49 +148,60 @@ public void addRecipientProviders(List<RecipientProvider> providers) {
         }
     }
 
+    @Whitelisted
     public void setRecipientList(String recipientList) {
         this.recipientList = hudson.Util.fixEmptyAndTrim ( recipientList );
     }
 
+    @Whitelisted
     public String getReplyTo() {
         return replyTo != null ? replyTo.trim() : replyTo;
     }
 
+    @Whitelisted
     public void setReplyTo(String replyTo) {
         this.replyTo = hudson.Util.fixEmptyAndTrim ( replyTo );
     }
 
+    @Whitelisted
     public String getAttachmentsPattern() {
         return attachmentsPattern != null ? attachmentsPattern.trim() : attachmentsPattern;
     }
 
+    @Whitelisted
     public void setAttachmentsPattern(String attachmentsPattern) {
         this.attachmentsPattern = attachmentsPattern;
     }
 
+    @Whitelisted
     public boolean getAttachBuildLog() {
         return attachBuildLog;
     }
 
+    @Whitelisted
     public boolean getCompressBuildLog() {
         return compressBuildLog;
     }
 
+    @Whitelisted
     public void setAttachBuildLog(boolean attachBuildLog) {
         this.attachBuildLog = attachBuildLog;
     }
 
+    @Whitelisted
     public void setCompressBuildLog(boolean compressBuildLog) {
         this.compressBuildLog = compressBuildLog;
     }
 
+    @Whitelisted
     public String getContentType() {
         if (contentType == null) {
             contentType = "project";
         }
         return contentType;
     }
 
+    @Whitelisted
     public void setContentType(String contentType) {
         this.contentType = contentType;
     }