[FIXED JENKINS-39402] Cap the number of group headers printed by Acce…

…ssDeniedException2. (cherry picked from commit d6f7e41)
jenkinsci · Feb 15, 2017 · cf78e48 · cf78e48
1 parent da2f57c
commit cf78e48
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 2 deletions.
diff --git a/core/src/main/java/hudson/security/AccessDeniedException2.java b/core/src/main/java/hudson/security/AccessDeniedException2.java
@@ -12,6 +12,9 @@
  * @author Kohsuke Kawaguchi
  */
 public class AccessDeniedException2 extends AccessDeniedException {
+
+    private static final int MAX_REPORTED_AUTHORITIES = 10;
+
     /**
      * This object represents the user being authenticated.
      */
@@ -38,8 +41,14 @@ public AccessDeniedException2(Throwable t, Authentication authentication, Permis
      */
     public void reportAsHeaders(HttpServletResponse rsp) {
         rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName());
-        for (GrantedAuthority auth : authentication.getAuthorities()) {
-            rsp.addHeader("X-You-Are-In-Group",auth.getAuthority());
+        GrantedAuthority[] authorities = authentication.getAuthorities();
+        for (int i = 0; i < authorities.length; i++) {
+            if (i == MAX_REPORTED_AUTHORITIES) {
+                rsp.addHeader("X-You-Are-In-Group", "<" + (authorities.length - i) + " more>");
+                break;
+            } else {
+                rsp.addHeader("X-You-Are-In-Group", authorities[i].getAuthority());
+            }
         }
         rsp.addHeader("X-Required-Permission", permission.getId());
         for (Permission p=permission.impliedBy; p!=null; p=p.impliedBy) {

diff --git a/test/src/test/java/hudson/security/AccessDeniedException2Test.java b/test/src/test/java/hudson/security/AccessDeniedException2Test.java
@@ -0,0 +1,73 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package hudson.security;
+
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import java.net.HttpURLConnection;
+import java.util.ArrayList;
+import java.util.List;
+import org.hamcrest.Matchers;
+import static org.junit.Assert.*;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+public class AccessDeniedException2Test {
+
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+
+    @Issue("JENKINS-39402")
+    @Test
+    public void youAreInGroupHeaders() throws Exception {
+        JenkinsRule.DummySecurityRealm realm = r.createDummySecurityRealm();
+        String[] groups = new String[1000];
+        for (int i = 0; i < groups.length; i++) {
+            groups[i] = "group" + i;
+        }
+        realm.addGroups("user", groups);
+        r.jenkins.setSecurityRealm(realm);
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
+        try {
+            r.createWebClient().login("user").goTo("confgure");
+            fail("should not have been allowed to access anything");
+        } catch (FailingHttpStatusCodeException x) {
+            assertEquals(HttpURLConnection.HTTP_FORBIDDEN, x.getStatusCode());
+            List<String> reportedGroups = new ArrayList<>();
+            for (NameValuePair header : x.getResponse().getResponseHeaders()) {
+                if (header.getName().equals("X-You-Are-In-Group")) {
+                    reportedGroups.add(header.getValue());
+                }
+            }
+            assertThat("capped at a reasonable number", reportedGroups, Matchers.<List<String>>allOf(
+                Matchers.<String>hasSize(11), // 10 groups plus final warning
+                Matchers.<String>hasItem("<991 more>"))); // 1000 + SecurityRealm.AUTHENTICATED_AUTHORITY.getAuthority() - 10
+        }
+    }
+
+}