[JENKINS-37599] Prevent empty classpath entries from being saved acci…

…dentally.
jenkinsci · Sep 21, 2016 · 246c22e · 246c22e
1 parent feb65ce
commit 246c22e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 15 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java
@@ -58,10 +58,18 @@ public ClasspathEntry(@Nonnull String path) throws MalformedURLException {
     }
 
     static URL pathToURL(String path) throws MalformedURLException {
+        if (path.isEmpty()) {
+            throw new MalformedURLException("JENKINS-37599: empty classpath entries not allowed");
+        }
         try {
             return new URL(path);
         } catch (MalformedURLException x) {
-            return new File(path).toURI().toURL();
+            File f = new File(path);
+            if (f.isAbsolute()) {
+                return f.toURI().toURL();
+            } else {
+                throw new MalformedURLException("classpath entries must be URLs or absolute file paths");
+            }
         }
     }
 

diff --git a/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java b/...test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java
@@ -28,7 +28,6 @@
 import com.gargoylesoftware.htmlunit.html.HtmlButton;
 import com.gargoylesoftware.htmlunit.html.HtmlCheckBoxInput;
 import com.gargoylesoftware.htmlunit.html.HtmlElement;
-import com.gargoylesoftware.htmlunit.html.HtmlRadioButtonInput;
 import groovy.lang.Binding;
 import hudson.remoting.Which;
 import org.apache.tools.ant.AntClassLoader;
@@ -46,7 +45,6 @@
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Publisher;
 import java.io.File;
-import java.io.FileFilter;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.util.ArrayList;
@@ -57,7 +55,6 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.tools.ant.DirectoryScanner;
 import org.apache.tools.ant.taskdefs.Expand;
-import org.apache.tools.ant.taskdefs.Touch;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
 import org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException;
 import static org.junit.Assert.*;
@@ -287,20 +284,16 @@ private List<File> getAllUpdatedJarFiles() throws URISyntaxException {
         for (File jarfile: getAllJarFiles()) {
             classpath.add(new ClasspathEntry(jarfile.getAbsolutePath()));
         }
-
-        FreeStyleProject p = r.createFreeStyleProject();
-        p.getPublishersList().add(new TestGroovyRecorder(new SecureGroovyScript(
+        TestGroovyRecorder recorder = new TestGroovyRecorder(new SecureGroovyScript(
                 "whatever",
                 true,
                 classpath
-        )));
-
-        JenkinsRule.WebClient wc = r.createWebClient();
-        r.submit(wc.getPage(p, "configure").getFormByName("config"));
-
-        p = r.jenkins.getItemByFullName(p.getFullName(), FreeStyleProject.class);
-        TestGroovyRecorder recorder = (TestGroovyRecorder)p.getPublishersList().get(0);
-        assertEquals(classpath, recorder.getScript().getClasspath());
+        ));
+        TestGroovyRecorder recorder2 = r.configRoundtrip(recorder);
+        r.assertEqualDataBoundBeans(recorder, recorder2);
+        classpath.clear();
+        recorder2 = r.configRoundtrip(recorder);
+        r.assertEqualDataBoundBeans(recorder, recorder2);
     }
 
     @Test public void testClasspathInSandbox() throws Exception {