From d8aba2a5507d95ac9c89d222626fdd951e094d09 Mon Sep 17 00:00:00 2001 From: Fabien Crespel Date: Tue, 9 May 2017 00:45:23 +0200 Subject: [PATCH] Check Run Scripts permission in CAS 1.0 form validation (SECURITY-488) --- .../jenkinsci/plugins/cas/protocols/Cas10Protocol.java | 10 +++++++++- .../org/jenkinsci/plugins/cas/Messages.properties | 1 + .../org/jenkinsci/plugins/cas/Messages_fr.properties | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas10Protocol.java b/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas10Protocol.java index be151c2..0bb70ee 100644 --- a/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas10Protocol.java +++ b/src/main/java/org/jenkinsci/plugins/cas/protocols/Cas10Protocol.java @@ -18,6 +18,7 @@ import hudson.Util; import hudson.model.Descriptor; import hudson.util.FormValidation; +import jenkins.model.Jenkins; /** * CAS 1.0 protocol support. @@ -74,10 +75,13 @@ public FormValidation doTestScript( @QueryParameter("rolesValidationScript") final String rolesValidationScript, @QueryParameter("testValidationResponse") final String testValidationResponse, @QueryParameter("sandbox") final boolean sandbox) { + if (!canRunScripts()) { + return FormValidation.error(Messages.Cas10Protocol_rolesValidationScript_noRunScriptPermissionError()); + } try { Collection roles = Cas10RoleParsingTicketValidator.parseRolesFromValidationResponse(getSecureGroovyScript(rolesValidationScript, sandbox), testValidationResponse); if (roles == null) { - return FormValidation.error(Messages.Cas10Protocol_rolesValidationScript_noResult()); + return FormValidation.warning(Messages.Cas10Protocol_rolesValidationScript_noResult()); } return FormValidation.ok(Messages.Cas10Protocol_rolesValidationScript_result() + ": " + roles); } catch (CompilationFailedException e) { @@ -94,6 +98,10 @@ public FormValidation doTestScript( return FormValidation.error(Messages.Cas10Protocol_rolesValidationScript_unknownError() + ": " + e); } } + + private boolean canRunScripts() { + return Jenkins.getInstance().getACL().hasPermission(Jenkins.RUN_SCRIPTS); + } } } diff --git a/src/main/resources/org/jenkinsci/plugins/cas/Messages.properties b/src/main/resources/org/jenkinsci/plugins/cas/Messages.properties index 3ea59ce..aa88014 100644 --- a/src/main/resources/org/jenkinsci/plugins/cas/Messages.properties +++ b/src/main/resources/org/jenkinsci/plugins/cas/Messages.properties @@ -5,6 +5,7 @@ CasSecurityRealm.casServerUrl.cannotGetResponse=Problem getting a response from Cas10Protocol.rolesValidationScript.result=Roles parsed from the test validation response Cas10Protocol.rolesValidationScript.noResult=Roles Validation Script returned no result +Cas10Protocol.rolesValidationScript.noRunScriptPermissionError=Current user is missing Run Script permission Cas10Protocol.rolesValidationScript.compilationError=Roles Validation Script failed to compile Cas10Protocol.rolesValidationScript.returnTypeError=Roles Validation Script did not return a Collection Cas10Protocol.rolesValidationScript.rejectedAccessError=Roles Validation Script uses forbidden language elements diff --git a/src/main/resources/org/jenkinsci/plugins/cas/Messages_fr.properties b/src/main/resources/org/jenkinsci/plugins/cas/Messages_fr.properties index 2eb93f3..b70c66f 100644 --- a/src/main/resources/org/jenkinsci/plugins/cas/Messages_fr.properties +++ b/src/main/resources/org/jenkinsci/plugins/cas/Messages_fr.properties @@ -5,6 +5,7 @@ CasSecurityRealm.casServerUrl.cannotGetResponse=Un probl Cas10Protocol.rolesValidationScript.result=Rôles extraits de la réponse de validation de test Cas10Protocol.rolesValidationScript.noResult=Le script de validation des rôles n''a retourné aucun résultat +Cas10Protocol.rolesValidationScript.noRunScriptPermissionError=L''utilisateur actuel n''a pas la permission d''exécuter des scripts Cas10Protocol.rolesValidationScript.compilationError=Le script de validation des rôles n''a pas pu être compilé Cas10Protocol.rolesValidationScript.returnTypeError=Le script de validation des rôles n''a pas retourné de Collection Cas10Protocol.rolesValidationScript.rejectedAccessError=Le script de validation des rôles utilise des éléments interdits du langage