[SECURITY-2376]

jenkinsci · Aug 26, 2021 · a5b3c18 · a5b3c18
1 parent c0e3402
commit a5b3c18
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 2 deletions.
diff --git a/src/main/java/io/jenkins/plugins/coverage/CompatibleObjectInputStream.java b/src/main/java/io/jenkins/plugins/coverage/CompatibleObjectInputStream.java
@@ -1,15 +1,19 @@
 package io.jenkins.plugins.coverage;
 
+import hudson.remoting.ClassFilter;
+import hudson.remoting.ObjectInputStreamEx;
+
 import java.io.*;
 
 /**
  * {@link io.jenkins.plugins.coverage.targets.CoverageElement} didn't have serialVersionUID. In order to keep
  * backwards compatibility, use this class to read serialized Object to avoid that serialVersionUID is different.
  */
-public class CompatibleObjectInputStream extends ObjectInputStream {
+public class CompatibleObjectInputStream extends ObjectInputStreamEx {
 
     public CompatibleObjectInputStream(InputStream in) throws IOException {
-        super(in);
+        // TODO Use a classloader in this plugin, or uberClassLoader?
+        super(in, CoverageProcessor.class.getClassLoader(), ClassFilter.DEFAULT);
     }
 
 

diff --git a/src/main/resources/META-INF/hudson.remoting.ClassFilter b/src/main/resources/META-INF/hudson.remoting.ClassFilter
@@ -0,0 +1,4 @@
+gnu.trove.impl.hash.THash
+gnu.trove.impl.hash.TIntHash
+gnu.trove.impl.hash.TPrimitiveHash
+gnu.trove.map.hash.TIntObjectHashMap
diff --git a/src/test/java/io/jenkins/plugins/coverage/Security2376Test.java b/src/test/java/io/jenkins/plugins/coverage/Security2376Test.java
@@ -0,0 +1,24 @@
+package io.jenkins.plugins.coverage;
+
+import hudson.model.FreeStyleProject;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.recipes.LocalData;
+
+import java.io.IOException;
+
+public class Security2376Test {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @LocalData
+    @Test(expected = SecurityException.class)
+    public void testDeserialization() throws IOException, ClassNotFoundException {
+        // coverage-report is just a serialized empty IdentityHashMap, not on the serialization allowlist as of Jenkins 2.303
+        final FreeStyleProject fs = (FreeStyleProject) j.jenkins.getItemByFullName("fs");
+        CoverageProcessor.recoverCoverageResult(fs.getBuild("1"));
+        // Without the fix, this fails with:
+        // Caused by: java.lang.ClassCastException: java.util.IdentityHashMap cannot be cast to io.jenkins.plugins.coverage.targets.CoverageResult
+    }
+}
diff --git a/src/test/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/builds/1/build.xml b/src/test/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/builds/1/build.xml
@@ -0,0 +1,29 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<build>
+    <actions>
+        <hudson.model.CauseAction>
+            <causeBag class="linked-hash-map">
+                <entry>
+                    <hudson.model.Cause_-UserIdCause>
+                        <userId>admin</userId>
+                    </hudson.model.Cause_-UserIdCause>
+                    <int>1</int>
+                </entry>
+            </causeBag>
+        </hudson.model.CauseAction>
+    </actions>
+    <queueId>2</queueId>
+    <timestamp>1627289739464</timestamp>
+    <startTime>1627289739514</startTime>
+    <result>SUCCESS</result>
+    <duration>52</duration>
+    <charset>UTF-8</charset>
+    <keepLog>false</keepLog>
+    <builtOn></builtOn>
+    <workspace>/var/jenkins_home/workspace/fs</workspace>
+    <hudsonVersion>2.303</hudsonVersion>
+    <scm class="hudson.scm.NullChangeLogParser"/>
+    <culprits class="java.util.Collections$UnmodifiableSet">
+        <c class="sorted-set"/>
+    </culprits>
+</build>
diff --git a/...t/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/builds/1/coverage-report b/...t/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/builds/1/coverage-report
diff --git a/src/test/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/config.xml b/src/test/resources/io/jenkins/plugins/coverage/Security2376Test/jobs/fs/config.xml
@@ -0,0 +1,17 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<project>
+    <actions/>
+    <description></description>
+    <keepDependencies>false</keepDependencies>
+    <properties/>
+    <scm class="hudson.scm.NullSCM"/>
+    <canRoam>true</canRoam>
+    <disabled>false</disabled>
+    <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
+    <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
+    <triggers/>
+    <concurrentBuild>false</concurrentBuild>
+    <builders/>
+    <publishers/>
+    <buildWrappers/>
+</project>