fix(接口测试): 修复测试脚本和上传jar文件安全漏洞

This commit is contained in:
fit2-zhao 2022-01-11 15:32:18 +08:00 committed by fit2-zhao
parent 77932dfffd
commit 1c4f2dd040
9 changed files with 82 additions and 12 deletions

View File

@ -7,6 +7,7 @@ import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.definition.request.controller.loop.CountController;
import io.metersphere.api.dto.definition.request.controller.loop.MsForEachController;
import io.metersphere.api.dto.definition.request.controller.loop.MsWhileController;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.commons.constants.LoopConstants;
import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement;
@ -231,6 +232,9 @@ public class MsLoopController extends MsTestElement {
jsr223PreProcessor.setProperty(TestElement.GUI_CLASS, SaveService.aliasToClass("TestBeanGUI"));
/*jsr223PreProcessor.setProperty("cacheKey", "true");*/
jsr223PreProcessor.setProperty("scriptLanguage", "beanshell");
ScriptFilter.verify("beanshell", this.getName(), script());
jsr223PreProcessor.setProperty("script", script());
hashTree.add(jsr223PreProcessor);
return hashTree;

View File

@ -7,6 +7,7 @@ import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ElementUtil;
import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement;
import lombok.Data;
@ -37,6 +38,7 @@ public class MsJSR223Processor extends MsTestElement {
@Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter;
//替换Metersphere环境变量
if (StringUtils.isEmpty(this.getEnvironmentId())) {

View File

@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement;
import lombok.Data;
@ -34,15 +35,16 @@ public class MsJSR223PostProcessor extends MsTestElement {
@Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter;
if(StringUtils.isEmpty(this.getEnvironmentId())){
if(config.getConfig() != null){
if(config.getProjectId() != null){
if (StringUtils.isEmpty(this.getEnvironmentId())) {
if (config.getConfig() != null) {
if (config.getProjectId() != null) {
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
this.setEnvironmentId(evnId);
}else {
} else {
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
if(evnConfigList!=null && !evnConfigList.isEmpty()){
if (evnConfigList != null && !evnConfigList.isEmpty()) {
for (EnvironmentConfig configItem : evnConfigList) {
String evnId = configItem.getApiEnvironmentid();
this.setEnvironmentId(evnId);
@ -53,7 +55,7 @@ public class MsJSR223PostProcessor extends MsTestElement {
}
}
//替换Metersphere环境变量
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\"");
script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
// 非导出操作且不是启用状态则跳过执行
if (!config.isOperating() && !this.isEnable()) {

View File

@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement;
import lombok.Data;
@ -34,15 +35,16 @@ public class MsJSR223PreProcessor extends MsTestElement {
@Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter;
if(StringUtils.isEmpty(this.getEnvironmentId())){
if(config.getConfig() != null){
if(config.getProjectId() != null){
if (StringUtils.isEmpty(this.getEnvironmentId())) {
if (config.getConfig() != null) {
if (config.getProjectId() != null) {
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
this.setEnvironmentId(evnId);
}else {
} else {
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
if(evnConfigList!=null && !evnConfigList.isEmpty()){
if (evnConfigList != null && !evnConfigList.isEmpty()) {
for (EnvironmentConfig configItem : evnConfigList) {
String evnId = configItem.getApiEnvironmentid();
this.setEnvironmentId(evnId);
@ -53,7 +55,7 @@ public class MsJSR223PreProcessor extends MsTestElement {
}
}
//替换Metersphere环境变量
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\"");
script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
// 非导出操作且不是启用状态则跳过执行
if (!config.isOperating() && !this.isEnable()) {

View File

@ -0,0 +1,53 @@
package io.metersphere.api.dto.shell.filter;
import io.metersphere.commons.exception.MSException;
import io.metersphere.plugin.core.utils.LogUtil;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import java.io.InputStream;
import java.util.List;
public class ScriptFilter {
public static final String beanshell = "/blacklist/beanshell.bk";
public static final String groovy = "/blacklist/groovy.bk";
public static final String python = "/blacklist/python.bk";
private static void blackList(StringBuffer buffer, String script, String path) {
try {
InputStream in = ScriptFilter.class.getResourceAsStream(path);
List<String> bks = IOUtils.readLines(in);
bks.forEach(item -> {
if (script.contains(item) && script.indexOf(item) != -1) {
buffer.append(item).append(",");
}
});
} catch (Exception ex) {
LogUtil.error(ex.getMessage());
}
}
public static void verify(String language, String label, String script) {
if (StringUtils.isNotEmpty(script)) {
final StringBuffer buffer = new StringBuffer();
switch (language) {
case "beanshell":
blackList(buffer, script, beanshell);
break;
case "python":
blackList(buffer, script, python);
break;
default:
blackList(buffer, script, groovy);
break;
}
if (StringUtils.isNotEmpty(buffer.toString())) {
String message = "脚本内包含敏感函数:【" + buffer.toString().substring(0, buffer.toString().length() - 1) + "";
if (StringUtils.isNotEmpty(label)) {
message = label + "," + message;
}
MSException.throwException(message);
}
}
}
}

View File

@ -94,6 +94,9 @@ public class JarConfigService {
}
public String add(JarConfig jarConfig, MultipartFile file) {
if (file != null && !file.getOriginalFilename().endsWith(".jar")) {
MSException.throwException("上传文件类型错误请上传正确jar文件");
}
jarConfig.setId(UUID.randomUUID().toString());
jarConfig.setCreator(SessionUtils.getUser().getId());
jarConfig.setModifier(SessionUtils.getUser().getId());
@ -126,6 +129,7 @@ public class JarConfigService {
}
}
}
public String getLogDetails(String id) {
JarConfig jarConfig = jarConfigMapper.selectByPrimaryKey(id);
if (jarConfig != null) {

View File

@ -0,0 +1 @@
exec

View File

@ -0,0 +1 @@
exec

View File

@ -0,0 +1 @@
os.system