test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(接口测试): 修复测试脚本和上传jar文件安全漏洞

This commit is contained in:
fit2-zhao 2022-01-11 15:32:18 +08:00 committed by fit2-zhao
parent e10f6ca970
commit 6b0337cc74
9 changed files with 82 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/main/java/io/metersphere/api/dto/definition/request/controller/MsLoopController.java
View File

@ -7,6 +7,7 @@ import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.definition.request.controller.loop.CountController; import io.metersphere.api.dto.definition.request.controller.loop.CountController;
import io.metersphere.api.dto.definition.request.controller.loop.MsForEachController; import io.metersphere.api.dto.definition.request.controller.loop.MsForEachController;
import io.metersphere.api.dto.definition.request.controller.loop.MsWhileController; import io.metersphere.api.dto.definition.request.controller.loop.MsWhileController;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.commons.constants.LoopConstants; import io.metersphere.commons.constants.LoopConstants;
import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement; import io.metersphere.plugin.core.MsTestElement;
@ -231,6 +232,9 @@ public class MsLoopController extends MsTestElement {
jsr223PreProcessor.setProperty(TestElement.GUI_CLASS, SaveService.aliasToClass("TestBeanGUI")); jsr223PreProcessor.setProperty(TestElement.GUI_CLASS, SaveService.aliasToClass("TestBeanGUI"));
/*jsr223PreProcessor.setProperty("cacheKey", "true");*/ /*jsr223PreProcessor.setProperty("cacheKey", "true");*/
jsr223PreProcessor.setProperty("scriptLanguage", "beanshell"); jsr223PreProcessor.setProperty("scriptLanguage", "beanshell");
ScriptFilter.verify("beanshell", this.getName(), script());
jsr223PreProcessor.setProperty("script", script()); jsr223PreProcessor.setProperty("script", script());
hashTree.add(jsr223PreProcessor); hashTree.add(jsr223PreProcessor);
return hashTree; return hashTree;

2
backend/src/main/java/io/metersphere/api/dto/definition/request/processors/MsJSR223Processor.java
View File

@ -7,6 +7,7 @@ import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ElementUtil; import io.metersphere.api.dto.definition.request.ElementUtil;
import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement; import io.metersphere.plugin.core.MsTestElement;
import lombok.Data; import lombok.Data;
@ -37,6 +38,7 @@ public class MsJSR223Processor extends MsTestElement {
@Override @Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) { public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter; ParameterConfig config = (ParameterConfig) msParameter;
//替换Metersphere环境变量 //替换Metersphere环境变量
if (StringUtils.isEmpty(this.getEnvironmentId())) { if (StringUtils.isEmpty(this.getEnvironmentId())) {

14
backend/src/main/java/io/metersphere/api/dto/definition/request/processors/post/MsJSR223PostProcessor.java
View File

@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
import io.metersphere.api.dto.RunningParamKeys; import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement; import io.metersphere.plugin.core.MsTestElement;
import lombok.Data; import lombok.Data;
@ -34,15 +35,16 @@ public class MsJSR223PostProcessor extends MsTestElement {
@Override @Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) { public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter; ParameterConfig config = (ParameterConfig) msParameter;
if(StringUtils.isEmpty(this.getEnvironmentId())){ if (StringUtils.isEmpty(this.getEnvironmentId())) {
if(config.getConfig() != null){ if (config.getConfig() != null) {
if(config.getProjectId() != null){ if (config.getProjectId() != null) {
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid(); String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
this.setEnvironmentId(evnId); this.setEnvironmentId(evnId);
}else { } else {
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values(); Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
if(evnConfigList!=null && !evnConfigList.isEmpty()){ if (evnConfigList != null && !evnConfigList.isEmpty()) {
for (EnvironmentConfig configItem : evnConfigList) { for (EnvironmentConfig configItem : evnConfigList) {
String evnId = configItem.getApiEnvironmentid(); String evnId = configItem.getApiEnvironmentid();
this.setEnvironmentId(evnId); this.setEnvironmentId(evnId);
@ -53,7 +55,7 @@ public class MsJSR223PostProcessor extends MsTestElement {
} }
} }
//替换Metersphere环境变量 //替换Metersphere环境变量
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\""); script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
// 非导出操作且不是启用状态则跳过执行 // 非导出操作且不是启用状态则跳过执行
if (!config.isOperating() && !this.isEnable()) { if (!config.isOperating() && !this.isEnable()) {

14
backend/src/main/java/io/metersphere/api/dto/definition/request/processors/pre/MsJSR223PreProcessor.java
View File

@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
import io.metersphere.api.dto.RunningParamKeys; import io.metersphere.api.dto.RunningParamKeys;
import io.metersphere.api.dto.definition.request.ParameterConfig; import io.metersphere.api.dto.definition.request.ParameterConfig;
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig; import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
import io.metersphere.api.dto.shell.filter.ScriptFilter;
import io.metersphere.plugin.core.MsParameter; import io.metersphere.plugin.core.MsParameter;
import io.metersphere.plugin.core.MsTestElement; import io.metersphere.plugin.core.MsTestElement;
import lombok.Data; import lombok.Data;
@ -34,15 +35,16 @@ public class MsJSR223PreProcessor extends MsTestElement {
@Override @Override
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) { public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
ParameterConfig config = (ParameterConfig) msParameter; ParameterConfig config = (ParameterConfig) msParameter;
if(StringUtils.isEmpty(this.getEnvironmentId())){ if (StringUtils.isEmpty(this.getEnvironmentId())) {
if(config.getConfig() != null){ if (config.getConfig() != null) {
if(config.getProjectId() != null){ if (config.getProjectId() != null) {
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid(); String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
this.setEnvironmentId(evnId); this.setEnvironmentId(evnId);
}else { } else {
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values(); Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
if(evnConfigList!=null && !evnConfigList.isEmpty()){ if (evnConfigList != null && !evnConfigList.isEmpty()) {
for (EnvironmentConfig configItem : evnConfigList) { for (EnvironmentConfig configItem : evnConfigList) {
String evnId = configItem.getApiEnvironmentid(); String evnId = configItem.getApiEnvironmentid();
this.setEnvironmentId(evnId); this.setEnvironmentId(evnId);
@ -53,7 +55,7 @@ public class MsJSR223PreProcessor extends MsTestElement {
} }
} }
//替换Metersphere环境变量 //替换Metersphere环境变量
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\""); script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
// 非导出操作且不是启用状态则跳过执行 // 非导出操作且不是启用状态则跳过执行
if (!config.isOperating() && !this.isEnable()) { if (!config.isOperating() && !this.isEnable()) {

53
backend/src/main/java/io/metersphere/api/dto/shell/filter/ScriptFilter.java Normal file
View File

@ -0,0 +1,53 @@
package io.metersphere.api.dto.shell.filter;
import io.metersphere.commons.exception.MSException;
import io.metersphere.plugin.core.utils.LogUtil;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import java.io.InputStream;
import java.util.List;
public class ScriptFilter {
public static final String beanshell = "/blacklist/beanshell.bk";
public static final String groovy = "/blacklist/groovy.bk";
public static final String python = "/blacklist/python.bk";
private static void blackList(StringBuffer buffer, String script, String path) {
try {
InputStream in = ScriptFilter.class.getResourceAsStream(path);
List<String> bks = IOUtils.readLines(in);
bks.forEach(item -> {
if (script.contains(item) && script.indexOf(item) != -1) {
buffer.append(item).append(",");
}
});
} catch (Exception ex) {
LogUtil.error(ex.getMessage());
}
}
public static void verify(String language, String label, String script) {
if (StringUtils.isNotEmpty(script)) {
final StringBuffer buffer = new StringBuffer();
switch (language) {
case "beanshell":
blackList(buffer, script, beanshell);
break;
case "python":
blackList(buffer, script, python);
break;
default:
blackList(buffer, script, groovy);
break;
}
if (StringUtils.isNotEmpty(buffer.toString())) {
String message = "脚本内包含敏感函数:【" + buffer.toString().substring(0, buffer.toString().length() - 1) + "";
if (StringUtils.isNotEmpty(label)) {
message = label + "," + message;
}
MSException.throwException(message);
}
}
}
}

4
backend/src/main/java/io/metersphere/service/JarConfigService.java
View File

@ -94,6 +94,9 @@ public class JarConfigService {
} }
public String add(JarConfig jarConfig, MultipartFile file) { public String add(JarConfig jarConfig, MultipartFile file) {
if (file != null && !file.getOriginalFilename().endsWith(".jar")) {
MSException.throwException("上传文件类型错误请上传正确jar文件");
}
jarConfig.setId(UUID.randomUUID().toString()); jarConfig.setId(UUID.randomUUID().toString());
jarConfig.setCreator(SessionUtils.getUser().getId()); jarConfig.setCreator(SessionUtils.getUser().getId());
jarConfig.setModifier(SessionUtils.getUser().getId()); jarConfig.setModifier(SessionUtils.getUser().getId());
@ -126,6 +129,7 @@ public class JarConfigService {
} }
} }
} }
public String getLogDetails(String id) { public String getLogDetails(String id) {
JarConfig jarConfig = jarConfigMapper.selectByPrimaryKey(id); JarConfig jarConfig = jarConfigMapper.selectByPrimaryKey(id);
if (jarConfig != null) { if (jarConfig != null) {

1
backend/src/main/resources/blacklist/beanshell.bk Normal file
View File

@ -0,0 +1 @@
exec

1
backend/src/main/resources/blacklist/groovy.bk Normal file
View File

@ -0,0 +1 @@
exec

1
backend/src/main/resources/blacklist/python.bk Normal file
View File

@ -0,0 +1 @@
os.system