Merge pull request #3234 from oleg-nenashev/bug/JENKINS-48946

[JENKINS-48946] - Whitelist Java inner classes with reported regressions
jenkinsci · Jan 16, 2018 · e42886c · e42886c
2 parents d50004f + 88eb5ee
commit e42886c
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 16 deletions.
diff --git a/core/pom.xml b/core/pom.xml
@@ -179,6 +179,12 @@ THE SOFTWARE.
       <classifier>tests</classifier>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest-library</artifactId>
+      <version>1.3</version>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>com.infradna.tool</groupId>

diff --git a/core/src/main/resources/jenkins/security/whitelisted-classes.txt b/core/src/main/resources/jenkins/security/whitelisted-classes.txt
@@ -45,16 +45,43 @@ java.security.KeyRep
 java.util.ArrayDeque
 java.util.ArrayList
 java.util.Arrays$ArrayList
+java.util.Collections$AsLIFOQueue
+java.util.Collections$CheckedCollection
+java.util.Collections$CheckedList
+java.util.Collections$CheckedMap
+java.util.Collections$CheckedNavigableMap
+java.util.Collections$CheckedNavigableSet
+java.util.Collections$CheckedQueue
+java.util.Collections$CheckedRandomAccessList
+java.util.Collections$CheckedSet
+java.util.Collections$CheckedSortedMap
+java.util.Collections$CheckedSortedSet
+java.util.Collections$CopiesList
 java.util.Collections$EmptyList
+java.util.Collections$EmptyMap
 java.util.Collections$EmptySet
 java.util.Collections$SetFromMap
 java.util.Collections$SingletonList
 java.util.Collections$SingletonMap
 java.util.Collections$SingletonSet
+java.util.Collections$SynchronizedCollection
+java.util.Collections$SynchronizedList
+java.util.Collections$SynchronizedMap
+java.util.Collections$SynchronizedNavigableMap
+java.util.Collections$SynchronizedNavigableSet
+java.util.Collections$SynchronizedRandomAccessList
+java.util.Collections$SynchronizedSortedMap
+java.util.Collections$SynchronizedSortedSet
 java.util.Collections$UnmodifiableCollection
 java.util.Collections$UnmodifiableList
+java.util.Collections$UnmodifiableMap
+java.util.Collections$UnmodifiableNavigableMap
+java.util.Collections$UnmodifiableNavigableSet
 java.util.Collections$UnmodifiableRandomAccessList
 java.util.Collections$UnmodifiableSet
+java.util.Collections$UnmodifiableSortedMap
+java.util.Collections$UnmodifiableSortedSet
+
 java.util.Date
 java.util.EnumMap
 java.util.GregorianCalendar
@@ -65,6 +92,7 @@ java.util.LinkedHashMap
 java.util.LinkedHashSet
 java.util.LinkedList
 java.util.Locale
+java.util.Optional
 java.util.Properties
 java.util.RegularEnumSet
 java.util.Stack

diff --git a/core/src/test/java/jenkins/security/ClassFilterImplSanityTest.java b/core/src/test/java/jenkins/security/ClassFilterImplSanityTest.java
@@ -0,0 +1,61 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2017-2018 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package jenkins.security;
+
+import hudson.util.CopyOnWriteMap;
+import org.apache.commons.io.IOUtils;
+import org.junit.Test;
+
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import java.util.TreeSet;
+import java.util.stream.Collectors;
+
+import static org.junit.Assert.assertThat;
+import static org.hamcrest.Matchers.*;
+
+/**
+ * Tests for {@link ClassFilterImpl}.
+ * More tests are available in the &quot;test&quot; module.
+ */
+public class ClassFilterImplSanityTest {
+
+    @Test
+    public void whitelistSanity() throws Exception {
+        try (InputStream is = ClassFilterImpl.class.getResourceAsStream("whitelisted-classes.txt")) {
+            List<String> lines = IOUtils.readLines(is, StandardCharsets.UTF_8).stream().filter(line -> !line.matches("#.*|\\s*")).collect(Collectors.toList());
+            TreeSet<String> set = new TreeSet<>(lines);
+            assertThat("whitelist is NOT ordered", new TreeSet<>(lines), contains(lines.toArray(new String[0])));
+            for (String line : lines) {
+                try {
+                    Class.forName(line);
+                } catch (ClassNotFoundException x) {
+                    System.err.println("skipping checks of unknown class " + line);
+                }
+            }
+        }
+    }
+
+}
diff --git a/test/src/test/java/jenkins/security/ClassFilterImplTest.java b/test/src/test/java/jenkins/security/ClassFilterImplTest.java
@@ -66,22 +66,6 @@ public class ClassFilterImplTest {
     @Rule
     public LoggerRule logging = new LoggerRule().record(ClassFilterImpl.class, Level.FINE);
 
-    @WithoutJenkins
-    @Test
-    public void whitelistSanity() throws Exception {
-        try (InputStream is = ClassFilterImpl.class.getResourceAsStream("whitelisted-classes.txt")) {
-            List<String> lines = IOUtils.readLines(is, StandardCharsets.UTF_8).stream().filter(line -> !line.matches("#.*|\\s*")).collect(Collectors.toList());
-            assertThat("whitelist is ordered", new TreeSet<>(lines), contains(lines.toArray(new String[0])));
-            for (String line : lines) {
-                try {
-                    Class.forName(line);
-                } catch (ClassNotFoundException x) {
-                    System.err.println("skipping checks of unknown class " + line);
-                }
-            }
-        }
-    }
-
     @Test
     public void masterToSlaveBypassesWhitelist() throws Exception {
         assumeThat(ClassFilterImpl.WHITELISTED_CLASSES, not(contains(LinkedListMultimap.class.getName())));