Skip to content

Commit

Permalink
Merge pull request #73 from jenkinsci-cert/20161116-for-1.625
Browse files Browse the repository at this point in the history 
[SECURITY-360] 2016/11/16 security fix for 1.625
  • Loading branch information
@jglick
jglick authored Nov 13, 2016
2 parents e7db526 + b379e77 commit ce8a2d5
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 4 deletions.
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ THE SOFTWARE.
<dependency>
<groupId>org.jenkins-ci.main</groupId>
<artifactId>remoting</artifactId>
<version>2.53.3</version>
<version>2.53.4</version>
</dependency>

<dependency>
Expand Down
9 changes: 9 additions & 0 deletions test/src/test/java/jenkins/security/Security218CliTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,15 @@ public void probeSpring2() throws Exception {
probe(Payload.Spring2, -1);
}

@PresetData(PresetData.DataSet.ANONYMOUS_READONLY)
@Test
@Issue("SECURITY-360")
public void ldap() throws Exception {
// with a proper fix, this should fail with EXIT_CODE_REJECTED
// otherwise this will fail with -1 exit code
probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);
}

private void probe(Payload payload, int expectedResultCode) throws Exception {
File file = File.createTempFile("security-218", payload + "-payload");
File moved = new File(file.getAbsolutePath() + "-moved");
Expand Down
7 changes: 4 additions & 3 deletions test/src/test/java/jenkins/security/security218/Payload.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
package jenkins.security.security218;

import jenkins.security.security218.ysoserial.payloads.*;
import net.sf.json.JSON;


/**
Expand All @@ -46,8 +45,10 @@ public enum Payload {
JRMPListener(JRMPListener.class),
JSON1(JSON1.class),
Spring1(Spring1.class),
Spring2(Spring2.class);

Spring2(Spring2.class),
Ldap(Ldap.class),
;

private final Class<? extends ObjectPayload> payloadClass;

private Payload(Class<? extends ObjectPayload> payloadClass) {
Expand Down
24 changes: 24 additions & 0 deletions test/src/test/java/jenkins/security/security218/ysoserial/payloads/Ldap.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
package jenkins.security.security218.ysoserial.payloads;

import jenkins.security.security218.ysoserial.util.PayloadRunner;

import java.lang.reflect.Constructor;

/**
* @author Kohsuke Kawaguchi
*/
public class Ldap extends PayloadRunner implements ObjectPayload<Object> {

public Object getObject(final String command) throws Exception {
// this is not a fully exploit, so we cannot honor the command,
// but we want to check that we are blocking LdapAttribute
Class<?> c = Class.forName("com.sun.jndi.ldap.LdapAttribute");
Constructor<?> ctr = c.getDeclaredConstructor(String.class);
ctr.setAccessible(true);
return ctr.newInstance("foo");
}

public static void main(final String[] args) throws Exception {
PayloadRunner.run(Ldap.class, args);
}
}

0 comments on commit ce8a2d5

Please sign in to comment.