[FIXED JENKINS-24080] Improved security of CommandDuringBuild and its…

… current implementations.
jenkinsci · Aug 1, 2014 · 137c90c · 137c90c
1 parent d8e6732
commit 137c90c
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 1 deletion.
diff --git a/changelog.html b/changelog.html
@@ -64,6 +64,9 @@
   <li class="bug major">
     Fixed a regression that removed all users with uppercase letters in the user name since 1.566.
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-23872">issue 23872</a>)
+  <li class="bug">
+    Improving security of <code>set-build-parameter</code> and <code>set-build-result</code> CLI commands.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-24080">issue 24080</a>)
   <li class="rfe">
     Added support for host:port format in X-Forwarded-Host header.
     (<a href="https://github.com/jenkinsci/jenkins/commit/19d8b80bb2f33e4877c7170bcca8bfa318ebe77d">commit 19d8b80</a>)

diff --git a/core/src/main/java/hudson/cli/CommandDuringBuild.java b/core/src/main/java/hudson/cli/CommandDuringBuild.java
@@ -67,6 +67,9 @@ protected Run optCurrentlyBuilding() throws CmdLineException {
             try {
                 Run r = j.getBuildByNumber(Integer.parseInt(envs[1]));
                 if (r==null)    throw new CmdLineException("No such build #"+envs[1]+" in "+envs[0]);
+                if (!r.isBuilding()) {
+                    throw new CmdLineException(r + " is not currently being built");
+                }
                 return r;
             } catch (NumberFormatException e) {
                 throw new CmdLineException("Invalid build number: "+envs[1]);

diff --git a/core/src/main/java/hudson/cli/SetBuildParameterCommand.java b/core/src/main/java/hudson/cli/SetBuildParameterCommand.java
@@ -32,6 +32,7 @@ public String getShortDescription() {
     @Override
     protected int run() throws Exception {
         Run r = getCurrentlyBuilding();
+        r.checkPermission(Run.UPDATE);
 
         StringParameterValue p = new StringParameterValue(name, value);
 

diff --git a/core/src/main/java/hudson/cli/SetBuildResultCommand.java b/core/src/main/java/hudson/cli/SetBuildResultCommand.java
@@ -48,7 +48,7 @@ public String getShortDescription() {
     @Override
     protected int run() throws Exception {
         Run r = getCurrentlyBuilding();
-        r.getParent().checkPermission(Item.BUILD);
+        r.checkPermission(Run.UPDATE);
         r.setResult(result);
         return 0;
     }

diff --git a/test/src/test/groovy/hudson/cli/SetBuildParameterCommandTest.groovy b/test/src/test/groovy/hudson/cli/SetBuildParameterCommandTest.groovy
@@ -4,6 +4,7 @@ import hudson.Launcher
 import hudson.model.AbstractBuild
 import hudson.model.BuildListener
 import hudson.model.ParametersAction
+import hudson.model.Result
 import hudson.tasks.Shell
 import jenkins.model.JenkinsLocationConfiguration
 import org.junit.Assert
@@ -43,5 +44,11 @@ public class SetBuildParameterCommandTest {
         b.getAction(ParametersAction.class).parameters.each { v -> r[v.name]=v.value }
 
         assert r.equals(["a":"x", "b":"y"]);
+
+        p.buildersList.add(new Shell("BUILD_NUMBER=1 java -jar cli.jar set-build-parameter a b"));
+        def b2 = j.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get());
+        r = [:];
+        b.getAction(ParametersAction.class).parameters.each { v -> r[v.name]=v.value }
+        assert r.equals(["a":"x", "b":"y"]);
     }
 }