Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[JENKINS-42902] Add tests to reproduce SECURITY-353
  • Loading branch information
ikedam committed May 6, 2017
1 parent 3b978da commit e61298e
Show file tree
Hide file tree
Showing 3 changed files with 140 additions and 0 deletions.
Expand Up @@ -40,6 +40,7 @@
import hudson.model.queue.QueueTaskFuture;
import hudson.model.Result;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
Expand Down Expand Up @@ -616,4 +617,46 @@ public void testBuildWithParameters() throws Exception {
assertNull(b.getExactRun(new Combination(axes, "value2")));
assertNotNull(b.getExactRun(new Combination(axes, "value3")));
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
Expand Up @@ -25,6 +25,7 @@
package hudson.plugins.matrix_configuration_parameter;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;

import java.util.Arrays;
Expand All @@ -41,9 +42,11 @@
import hudson.model.ParametersDefinitionProperty;
import jenkins.model.Jenkins;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlPage;
Expand Down Expand Up @@ -174,4 +177,50 @@ public void testReadResolveOfDefaultMatrixCombinationsParameterValue() throws Ex
v.getCombinationFilter()
);
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
Expand Up @@ -41,9 +41,11 @@
import hudson.model.Result;
import hudson.model.StringParameterValue;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
Expand Down Expand Up @@ -217,4 +219,50 @@ public void testShortcut() throws Exception {
j.assertCombinationChecked(page, true, axes, "value2");
j.assertCombinationChecked(page, false, axes, "value3");
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}

0 comments on commit e61298e

Please sign in to comment.