Skip to content

Commit

Permalink
Fail fast when the frontend sends an invalid class name (#322)
Browse files Browse the repository at this point in the history
  • Loading branch information
@basil
basil authored Mar 14, 2022
1 parent 565fa8e commit 0275e61
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions core/src/main/java/org/kohsuke/stapler/RequestImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -698,20 +698,35 @@ public Object convertJSON(Object o) {
if(l==null) {// single value conversion
try {
Class actualType = type;
boolean isArray = false;
String className = null;
if(j.has("stapler-class")) {
if (j.optJSONArray("stapler-class") != null) {
isArray = true;
}
// deprecated as of 2.4-jenkins-4 but left here for a while until we are sure nobody uses this
className = j.getString("stapler-class");
LOGGER.log(FINE, "stapler-class is deprecated in favor of $class: {0}", className);
}
if(j.has("$class")) {
if (j.optJSONArray("$class") != null) {
isArray = true;
}
className = j.getString("$class");
}

if (className != null) {
// sub-type is specified in JSON.
// note that this can come from malicious clients, so we need to make sure we don't have security issues.

if (isArray) {
throw new IllegalArgumentException(
"The frontend sent an unexpected list of classes ("
+ className
+ ") rather than an expected single class. See"
+ " https://www.jenkins.io/doc/developer/views/table-to-div-migration/"
+ " for more information.");
}
ClassLoader cl = stapler.getWebApp().getClassLoader();
try {
Class<?> subType = cl.loadClass(className);
Expand Down

0 comments on commit 0275e61

Please sign in to comment.