diff --git a/backend/src/main/java/io/metersphere/api/dto/definition/request/controller/MsLoopController.java b/backend/src/main/java/io/metersphere/api/dto/definition/request/controller/MsLoopController.java index 98a497b71c..985edc1a6c 100644 --- a/backend/src/main/java/io/metersphere/api/dto/definition/request/controller/MsLoopController.java +++ b/backend/src/main/java/io/metersphere/api/dto/definition/request/controller/MsLoopController.java @@ -7,6 +7,7 @@ import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.definition.request.controller.loop.CountController; import io.metersphere.api.dto.definition.request.controller.loop.MsForEachController; import io.metersphere.api.dto.definition.request.controller.loop.MsWhileController; +import io.metersphere.api.dto.shell.filter.ScriptFilter; import io.metersphere.commons.constants.LoopConstants; import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsTestElement; @@ -231,6 +232,9 @@ public class MsLoopController extends MsTestElement { jsr223PreProcessor.setProperty(TestElement.GUI_CLASS, SaveService.aliasToClass("TestBeanGUI")); /*jsr223PreProcessor.setProperty("cacheKey", "true");*/ jsr223PreProcessor.setProperty("scriptLanguage", "beanshell"); + + ScriptFilter.verify("beanshell", this.getName(), script()); + jsr223PreProcessor.setProperty("script", script()); hashTree.add(jsr223PreProcessor); return hashTree; diff --git a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/MsJSR223Processor.java b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/MsJSR223Processor.java index ad99883a64..1110d8bff2 100644 --- a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/MsJSR223Processor.java +++ b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/MsJSR223Processor.java @@ -7,6 +7,7 @@ import io.metersphere.api.dto.RunningParamKeys; import io.metersphere.api.dto.definition.request.ElementUtil; import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; +import io.metersphere.api.dto.shell.filter.ScriptFilter; import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsTestElement; import lombok.Data; @@ -37,6 +38,7 @@ public class MsJSR223Processor extends MsTestElement { @Override public void toHashTree(HashTree tree, List hashTree, MsParameter msParameter) { + ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script); ParameterConfig config = (ParameterConfig) msParameter; //替换Metersphere环境变量 if (StringUtils.isEmpty(this.getEnvironmentId())) { diff --git a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/post/MsJSR223PostProcessor.java b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/post/MsJSR223PostProcessor.java index 7959876cf9..8e04a288b0 100644 --- a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/post/MsJSR223PostProcessor.java +++ b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/post/MsJSR223PostProcessor.java @@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType; import io.metersphere.api.dto.RunningParamKeys; import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; +import io.metersphere.api.dto.shell.filter.ScriptFilter; import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsTestElement; import lombok.Data; @@ -34,15 +35,16 @@ public class MsJSR223PostProcessor extends MsTestElement { @Override public void toHashTree(HashTree tree, List hashTree, MsParameter msParameter) { + ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script); ParameterConfig config = (ParameterConfig) msParameter; - if(StringUtils.isEmpty(this.getEnvironmentId())){ - if(config.getConfig() != null){ - if(config.getProjectId() != null){ + if (StringUtils.isEmpty(this.getEnvironmentId())) { + if (config.getConfig() != null) { + if (config.getProjectId() != null) { String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid(); this.setEnvironmentId(evnId); - }else { + } else { Collection evnConfigList = config.getConfig().values(); - if(evnConfigList!=null && !evnConfigList.isEmpty()){ + if (evnConfigList != null && !evnConfigList.isEmpty()) { for (EnvironmentConfig configItem : evnConfigList) { String evnId = configItem.getApiEnvironmentid(); this.setEnvironmentId(evnId); @@ -53,7 +55,7 @@ public class MsJSR223PostProcessor extends MsTestElement { } } //替换Metersphere环境变量 - script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\""); + script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\""); // 非导出操作,且不是启用状态则跳过执行 if (!config.isOperating() && !this.isEnable()) { diff --git a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/pre/MsJSR223PreProcessor.java b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/pre/MsJSR223PreProcessor.java index ad3b726e06..bbbb6635f4 100644 --- a/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/pre/MsJSR223PreProcessor.java +++ b/backend/src/main/java/io/metersphere/api/dto/definition/request/processors/pre/MsJSR223PreProcessor.java @@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType; import io.metersphere.api.dto.RunningParamKeys; import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; +import io.metersphere.api.dto.shell.filter.ScriptFilter; import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsTestElement; import lombok.Data; @@ -34,15 +35,16 @@ public class MsJSR223PreProcessor extends MsTestElement { @Override public void toHashTree(HashTree tree, List hashTree, MsParameter msParameter) { + ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script); ParameterConfig config = (ParameterConfig) msParameter; - if(StringUtils.isEmpty(this.getEnvironmentId())){ - if(config.getConfig() != null){ - if(config.getProjectId() != null){ + if (StringUtils.isEmpty(this.getEnvironmentId())) { + if (config.getConfig() != null) { + if (config.getProjectId() != null) { String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid(); this.setEnvironmentId(evnId); - }else { + } else { Collection evnConfigList = config.getConfig().values(); - if(evnConfigList!=null && !evnConfigList.isEmpty()){ + if (evnConfigList != null && !evnConfigList.isEmpty()) { for (EnvironmentConfig configItem : evnConfigList) { String evnId = configItem.getApiEnvironmentid(); this.setEnvironmentId(evnId); @@ -53,7 +55,7 @@ public class MsJSR223PreProcessor extends MsTestElement { } } //替换Metersphere环境变量 - script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\""); + script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\""); // 非导出操作,且不是启用状态则跳过执行 if (!config.isOperating() && !this.isEnable()) { diff --git a/backend/src/main/java/io/metersphere/api/dto/shell/filter/ScriptFilter.java b/backend/src/main/java/io/metersphere/api/dto/shell/filter/ScriptFilter.java new file mode 100644 index 0000000000..34bbc59a20 --- /dev/null +++ b/backend/src/main/java/io/metersphere/api/dto/shell/filter/ScriptFilter.java @@ -0,0 +1,53 @@ +package io.metersphere.api.dto.shell.filter; + +import io.metersphere.commons.exception.MSException; +import io.metersphere.plugin.core.utils.LogUtil; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.StringUtils; + +import java.io.InputStream; +import java.util.List; + +public class ScriptFilter { + public static final String beanshell = "/blacklist/beanshell.bk"; + public static final String groovy = "/blacklist/groovy.bk"; + public static final String python = "/blacklist/python.bk"; + + private static void blackList(StringBuffer buffer, String script, String path) { + try { + InputStream in = ScriptFilter.class.getResourceAsStream(path); + List bks = IOUtils.readLines(in); + bks.forEach(item -> { + if (script.contains(item) && script.indexOf(item) != -1) { + buffer.append(item).append(","); + } + }); + } catch (Exception ex) { + LogUtil.error(ex.getMessage()); + } + } + + public static void verify(String language, String label, String script) { + if (StringUtils.isNotEmpty(script)) { + final StringBuffer buffer = new StringBuffer(); + switch (language) { + case "beanshell": + blackList(buffer, script, beanshell); + break; + case "python": + blackList(buffer, script, python); + break; + default: + blackList(buffer, script, groovy); + break; + } + if (StringUtils.isNotEmpty(buffer.toString())) { + String message = "脚本内包含敏感函数:【" + buffer.toString().substring(0, buffer.toString().length() - 1) + "】"; + if (StringUtils.isNotEmpty(label)) { + message = label + "," + message; + } + MSException.throwException(message); + } + } + } +} diff --git a/backend/src/main/java/io/metersphere/service/JarConfigService.java b/backend/src/main/java/io/metersphere/service/JarConfigService.java index c10e54a180..d749dd0329 100644 --- a/backend/src/main/java/io/metersphere/service/JarConfigService.java +++ b/backend/src/main/java/io/metersphere/service/JarConfigService.java @@ -94,6 +94,9 @@ public class JarConfigService { } public String add(JarConfig jarConfig, MultipartFile file) { + if (file != null && !file.getOriginalFilename().endsWith(".jar")) { + MSException.throwException("上传文件类型错误,请上传正确jar文件"); + } jarConfig.setId(UUID.randomUUID().toString()); jarConfig.setCreator(SessionUtils.getUser().getId()); jarConfig.setModifier(SessionUtils.getUser().getId()); @@ -126,6 +129,7 @@ public class JarConfigService { } } } + public String getLogDetails(String id) { JarConfig jarConfig = jarConfigMapper.selectByPrimaryKey(id); if (jarConfig != null) { diff --git a/backend/src/main/resources/blacklist/beanshell.bk b/backend/src/main/resources/blacklist/beanshell.bk new file mode 100644 index 0000000000..f1b66f3780 --- /dev/null +++ b/backend/src/main/resources/blacklist/beanshell.bk @@ -0,0 +1 @@ +exec \ No newline at end of file diff --git a/backend/src/main/resources/blacklist/groovy.bk b/backend/src/main/resources/blacklist/groovy.bk new file mode 100644 index 0000000000..f1b66f3780 --- /dev/null +++ b/backend/src/main/resources/blacklist/groovy.bk @@ -0,0 +1 @@ +exec \ No newline at end of file diff --git a/backend/src/main/resources/blacklist/python.bk b/backend/src/main/resources/blacklist/python.bk new file mode 100644 index 0000000000..4c486af918 --- /dev/null +++ b/backend/src/main/resources/blacklist/python.bk @@ -0,0 +1 @@ +os.system \ No newline at end of file