From f0d703f5438e4ae93bc1604ed41a59587445b3af Mon Sep 17 00:00:00 2001 From: Michael DOUBEZ Date: Thu, 14 Mar 2024 23:50:44 +0100 Subject: [PATCH] Align POM with minimal requirements, java 11 and fix URL validation (#274) --- Jenkinsfile | 10 +++++++--- pom.xml | 4 ++-- .../jenkinsci/plugins/oic/OicSecurityRealm.java | 3 ++- .../oic/EscapeHatchCrumbExclusionTest.java | 15 +++++++++++---- .../plugins/oic/OicSecurityRealmTest.java | 17 ++++++++++++----- 5 files changed, 34 insertions(+), 15 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6e8c8b2b..d8d60af5 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,4 +1,8 @@ buildPlugin(useContainerAgent: true, - // Opt-in to the Artifact Caching Proxy, to be removed when it will be in opt-out. - // See https://github.com/jenkins-infra/helpdesk/issues/2752 for more details and updates. - artifactCachingProxyEnabled: true) + // Opt-in to the Artifact Caching Proxy, to be removed when it will be in opt-out. + // See https://github.com/jenkins-infra/helpdesk/issues/2752 for more details and updates. + artifactCachingProxyEnabled: true, + configurations: [ + [platform: 'linux', jdk: 17], + [platform: 'windows', jdk: 11], + ]) diff --git a/pom.xml b/pom.xml index a4e82fc4..d582935f 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.jenkins-ci.plugins plugin - 4.51 + 4.78 @@ -11,7 +11,7 @@ 2.7 -SNAPSHOT jenkinsci/oic-auth-plugin - 2.346.1 + 2.361 true Max 1569.vb_72405b_80249 diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java index 4db90324..193f7ecc 100644 --- a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java +++ b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java @@ -62,6 +62,7 @@ import java.io.UnsupportedEncodingException; import java.lang.reflect.Field; import java.net.MalformedURLException; +import java.net.URI; import java.net.URL; import java.net.URLEncoder; import java.nio.charset.Charset; @@ -734,7 +735,7 @@ protected String getValidRedirectUrl(String url) { if (url != null && !url.isEmpty()) { // Check if the URL is relative and starts with a slash if (url.startsWith("/")) { - return getRootUrl() + url; // Convert to absolute URL + return URI.create(getRootUrl() + url).normalize().toString(); } // If not relative, then check if it's a valid absolute URL try { diff --git a/src/test/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusionTest.java b/src/test/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusionTest.java index 1330a3b7..3d8d97e1 100644 --- a/src/test/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusionTest.java +++ b/src/test/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusionTest.java @@ -19,6 +19,15 @@ public class EscapeHatchCrumbExclusionTest { private FilterChain chain = null; + private Request newRequestWithPath(String requestPath) { + return new Request(null, null) { + @Override + public String getPathInfo() { + return requestPath; + } + }; + } + @Test public void process_WithNullPath() throws IOException, ServletException { Request request = new Request(null, null); @@ -27,8 +36,7 @@ public void process_WithNullPath() throws IOException, ServletException { @Test public void process_WithWrongPath() throws IOException, ServletException { - Request request = new Request(null, null); - request.setPathInfo("fictionalPath"); + Request request = newRequestWithPath("fictionalPath"); assertFalse(crumb.process(request, response, chain)); } @@ -41,8 +49,7 @@ public void doFilter(ServletRequest arg0, ServletResponse arg1) throws IOExcepti } }; - Request request = new Request(null, null); - request.setPathInfo("/securityRealm/escapeHatch"); + Request request = newRequestWithPath("/securityRealm/escapeHatch"); assertTrue(crumb.process(request, response, chain)); } } diff --git a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java index 58d6996e..35542238 100644 --- a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java +++ b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java @@ -4,8 +4,6 @@ import com.github.tomakehurst.wiremock.junit.WireMockRule; import hudson.util.Secret; import java.io.IOException; -import java.net.MalformedURLException; - import org.acegisecurity.AuthenticationManager; import org.acegisecurity.BadCredentialsException; import org.acegisecurity.GrantedAuthority; @@ -18,7 +16,6 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThrows; public class OicSecurityRealmTest { @@ -89,7 +86,7 @@ public void testShouldSetNullClientSecretWhenSecretIsNone() throws IOException { @Test public void testGetValidRedirectUrl() throws IOException { - String rootUrl = "http://localhost:" + wireMockRule.port() + "/jenkins/"; + String rootUrl = jenkinsRule.jenkins.getRootUrl(); TestRealm realm = new TestRealm.Builder(wireMockRule) .WithMinimalDefaults().build(); @@ -97,6 +94,16 @@ public void testGetValidRedirectUrl() throws IOException { assertEquals(rootUrl + "bar", realm.getValidRedirectUrl(rootUrl + "bar")); assertEquals(rootUrl, realm.getValidRedirectUrl(null)); assertEquals(rootUrl, realm.getValidRedirectUrl("")); - assertThrows(MalformedURLException.class, () -> realm.getValidRedirectUrl("foobar")); + assertEquals(rootUrl, realm.getValidRedirectUrl("foobar")); + } + + @Test + public void testShouldReturnRootUrlWhenRedirectUrlIsInvalid() throws IOException { + String rootUrl = jenkinsRule.jenkins.getRootUrl(); + + TestRealm realm = new TestRealm.Builder(wireMockRule) + .WithMinimalDefaults().build(); + assertEquals(rootUrl, realm.getValidRedirectUrl("foobar")); + assertEquals(rootUrl, realm.getValidRedirectUrl("https://another-host/")); } }