[FIXED JENKINS-24080] Improved security of CommandDuringBuild and its…

… current implementations. (cherry picked from commit 137c90c) Conflicts: changelog.html
jenkinsci · Sep 7, 2014 · 784e91b · 784e91b
1 parent e4dc3b4
commit 784e91b
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/core/src/main/java/hudson/cli/CommandDuringBuild.java b/core/src/main/java/hudson/cli/CommandDuringBuild.java
@@ -67,6 +67,9 @@ protected Run optCurrentlyBuilding() throws CmdLineException {
             try {
                 Run r = j.getBuildByNumber(Integer.parseInt(envs[1]));
                 if (r==null)    throw new CmdLineException("No such build #"+envs[1]+" in "+envs[0]);
+                if (!r.isBuilding()) {
+                    throw new CmdLineException(r + " is not currently being built");
+                }
                 return r;
             } catch (NumberFormatException e) {
                 throw new CmdLineException("Invalid build number: "+envs[1]);

diff --git a/core/src/main/java/hudson/cli/SetBuildParameterCommand.java b/core/src/main/java/hudson/cli/SetBuildParameterCommand.java
@@ -32,6 +32,7 @@ public String getShortDescription() {
     @Override
     protected int run() throws Exception {
         Run r = getCurrentlyBuilding();
+        r.checkPermission(Run.UPDATE);
 
         StringParameterValue p = new StringParameterValue(name, value);
 

diff --git a/core/src/main/java/hudson/cli/SetBuildResultCommand.java b/core/src/main/java/hudson/cli/SetBuildResultCommand.java
@@ -48,7 +48,7 @@ public String getShortDescription() {
     @Override
     protected int run() throws Exception {
         Run r = getCurrentlyBuilding();
-        r.getParent().checkPermission(Item.BUILD);
+        r.checkPermission(Run.UPDATE);
         r.setResult(result);
         return 0;
     }

diff --git a/test/src/test/groovy/hudson/cli/SetBuildParameterCommandTest.groovy b/test/src/test/groovy/hudson/cli/SetBuildParameterCommandTest.groovy
@@ -4,6 +4,7 @@ import hudson.Launcher
 import hudson.model.AbstractBuild
 import hudson.model.BuildListener
 import hudson.model.ParametersAction
+import hudson.model.Result
 import hudson.tasks.Shell
 import jenkins.model.JenkinsLocationConfiguration
 import org.junit.Assert
@@ -43,5 +44,11 @@ public class SetBuildParameterCommandTest {
         b.getAction(ParametersAction.class).parameters.each { v -> r[v.name]=v.value }
 
         assert r.equals(["a":"x", "b":"y"]);
+
+        p.buildersList.add(new Shell("BUILD_NUMBER=1 java -jar cli.jar set-build-parameter a b"));
+        def b2 = j.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get());
+        r = [:];
+        b.getAction(ParametersAction.class).parameters.each { v -> r[v.name]=v.value }
+        assert r.equals(["a":"x", "b":"y"]);
     }
 }