fix(接口测试): 修复测试脚本和上传jar文件安全漏洞
This commit is contained in:
fit2-zhao
fit2-zhao
parent
e10f6ca970
commit
6b0337cc74
|
|
@ -7,6 +7,7 @@ import io.metersphere.api.dto.definition.request.ParameterConfig;
|
|||
import io.metersphere.api.dto.definition.request.controller.loop.CountController;
|
||||
import io.metersphere.api.dto.definition.request.controller.loop.MsForEachController;
|
||||
import io.metersphere.api.dto.definition.request.controller.loop.MsWhileController;
|
||||
import io.metersphere.api.dto.shell.filter.ScriptFilter;
|
||||
import io.metersphere.commons.constants.LoopConstants;
|
||||
import io.metersphere.plugin.core.MsParameter;
|
||||
import io.metersphere.plugin.core.MsTestElement;
|
||||
|
|
@ -231,6 +232,9 @@ public class MsLoopController extends MsTestElement {
|
|||
jsr223PreProcessor.setProperty(TestElement.GUI_CLASS, SaveService.aliasToClass("TestBeanGUI"));
|
||||
/*jsr223PreProcessor.setProperty("cacheKey", "true");*/
|
||||
jsr223PreProcessor.setProperty("scriptLanguage", "beanshell");
|
||||
|
||||
ScriptFilter.verify("beanshell", this.getName(), script());
|
||||
|
||||
jsr223PreProcessor.setProperty("script", script());
|
||||
hashTree.add(jsr223PreProcessor);
|
||||
return hashTree;
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import io.metersphere.api.dto.RunningParamKeys;
|
|||
import io.metersphere.api.dto.definition.request.ElementUtil;
|
||||
import io.metersphere.api.dto.definition.request.ParameterConfig;
|
||||
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
|
||||
import io.metersphere.api.dto.shell.filter.ScriptFilter;
|
||||
import io.metersphere.plugin.core.MsParameter;
|
||||
import io.metersphere.plugin.core.MsTestElement;
|
||||
import lombok.Data;
|
||||
|
|
@ -37,6 +38,7 @@ public class MsJSR223Processor extends MsTestElement {
|
|||
|
||||
@Override
|
||||
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
|
||||
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
|
||||
ParameterConfig config = (ParameterConfig) msParameter;
|
||||
//替换Metersphere环境变量
|
||||
if (StringUtils.isEmpty(this.getEnvironmentId())) {
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
|
|||
import io.metersphere.api.dto.RunningParamKeys;
|
||||
import io.metersphere.api.dto.definition.request.ParameterConfig;
|
||||
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
|
||||
import io.metersphere.api.dto.shell.filter.ScriptFilter;
|
||||
import io.metersphere.plugin.core.MsParameter;
|
||||
import io.metersphere.plugin.core.MsTestElement;
|
||||
import lombok.Data;
|
||||
|
|
@ -34,15 +35,16 @@ public class MsJSR223PostProcessor extends MsTestElement {
|
|||
|
||||
@Override
|
||||
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
|
||||
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
|
||||
ParameterConfig config = (ParameterConfig) msParameter;
|
||||
if(StringUtils.isEmpty(this.getEnvironmentId())){
|
||||
if(config.getConfig() != null){
|
||||
if(config.getProjectId() != null){
|
||||
if (StringUtils.isEmpty(this.getEnvironmentId())) {
|
||||
if (config.getConfig() != null) {
|
||||
if (config.getProjectId() != null) {
|
||||
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
|
||||
this.setEnvironmentId(evnId);
|
||||
}else {
|
||||
} else {
|
||||
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
|
||||
if(evnConfigList!=null && !evnConfigList.isEmpty()){
|
||||
if (evnConfigList != null && !evnConfigList.isEmpty()) {
|
||||
for (EnvironmentConfig configItem : evnConfigList) {
|
||||
String evnId = configItem.getApiEnvironmentid();
|
||||
this.setEnvironmentId(evnId);
|
||||
|
|
@ -53,7 +55,7 @@ public class MsJSR223PostProcessor extends MsTestElement {
|
|||
}
|
||||
}
|
||||
//替换Metersphere环境变量
|
||||
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\"");
|
||||
script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
|
||||
|
||||
// 非导出操作,且不是启用状态则跳过执行
|
||||
if (!config.isOperating() && !this.isEnable()) {
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import com.alibaba.fastjson.annotation.JSONType;
|
|||
import io.metersphere.api.dto.RunningParamKeys;
|
||||
import io.metersphere.api.dto.definition.request.ParameterConfig;
|
||||
import io.metersphere.api.dto.scenario.environment.EnvironmentConfig;
|
||||
import io.metersphere.api.dto.shell.filter.ScriptFilter;
|
||||
import io.metersphere.plugin.core.MsParameter;
|
||||
import io.metersphere.plugin.core.MsTestElement;
|
||||
import lombok.Data;
|
||||
|
|
@ -34,15 +35,16 @@ public class MsJSR223PreProcessor extends MsTestElement {
|
|||
|
||||
@Override
|
||||
public void toHashTree(HashTree tree, List<MsTestElement> hashTree, MsParameter msParameter) {
|
||||
ScriptFilter.verify(this.getScriptLanguage(), this.getName(), script);
|
||||
ParameterConfig config = (ParameterConfig) msParameter;
|
||||
if(StringUtils.isEmpty(this.getEnvironmentId())){
|
||||
if(config.getConfig() != null){
|
||||
if(config.getProjectId() != null){
|
||||
if (StringUtils.isEmpty(this.getEnvironmentId())) {
|
||||
if (config.getConfig() != null) {
|
||||
if (config.getProjectId() != null) {
|
||||
String evnId = config.getConfig().get(config.getProjectId()).getApiEnvironmentid();
|
||||
this.setEnvironmentId(evnId);
|
||||
}else {
|
||||
} else {
|
||||
Collection<EnvironmentConfig> evnConfigList = config.getConfig().values();
|
||||
if(evnConfigList!=null && !evnConfigList.isEmpty()){
|
||||
if (evnConfigList != null && !evnConfigList.isEmpty()) {
|
||||
for (EnvironmentConfig configItem : evnConfigList) {
|
||||
String evnId = configItem.getApiEnvironmentid();
|
||||
this.setEnvironmentId(evnId);
|
||||
|
|
@ -53,7 +55,7 @@ public class MsJSR223PreProcessor extends MsTestElement {
|
|||
}
|
||||
}
|
||||
//替换Metersphere环境变量
|
||||
script = StringUtils.replace(script,RunningParamKeys.API_ENVIRONMENT_ID,"\""+RunningParamKeys.RUNNING_PARAMS_PREFIX+this.getEnvironmentId()+".\"");
|
||||
script = StringUtils.replace(script, RunningParamKeys.API_ENVIRONMENT_ID, "\"" + RunningParamKeys.RUNNING_PARAMS_PREFIX + this.getEnvironmentId() + ".\"");
|
||||
|
||||
// 非导出操作,且不是启用状态则跳过执行
|
||||
if (!config.isOperating() && !this.isEnable()) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,53 @@
|
|||
package io.metersphere.api.dto.shell.filter;
|
||||
|
||||
import io.metersphere.commons.exception.MSException;
|
||||
import io.metersphere.plugin.core.utils.LogUtil;
|
||||
import org.apache.commons.io.IOUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.util.List;
|
||||
|
||||
public class ScriptFilter {
|
||||
public static final String beanshell = "/blacklist/beanshell.bk";
|
||||
public static final String groovy = "/blacklist/groovy.bk";
|
||||
public static final String python = "/blacklist/python.bk";
|
||||
|
||||
private static void blackList(StringBuffer buffer, String script, String path) {
|
||||
try {
|
||||
InputStream in = ScriptFilter.class.getResourceAsStream(path);
|
||||
List<String> bks = IOUtils.readLines(in);
|
||||
bks.forEach(item -> {
|
||||
if (script.contains(item) && script.indexOf(item) != -1) {
|
||||
buffer.append(item).append(",");
|
||||
}
|
||||
});
|
||||
} catch (Exception ex) {
|
||||
LogUtil.error(ex.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
public static void verify(String language, String label, String script) {
|
||||
if (StringUtils.isNotEmpty(script)) {
|
||||
final StringBuffer buffer = new StringBuffer();
|
||||
switch (language) {
|
||||
case "beanshell":
|
||||
blackList(buffer, script, beanshell);
|
||||
break;
|
||||
case "python":
|
||||
blackList(buffer, script, python);
|
||||
break;
|
||||
default:
|
||||
blackList(buffer, script, groovy);
|
||||
break;
|
||||
}
|
||||
if (StringUtils.isNotEmpty(buffer.toString())) {
|
||||
String message = "脚本内包含敏感函数:【" + buffer.toString().substring(0, buffer.toString().length() - 1) + "】";
|
||||
if (StringUtils.isNotEmpty(label)) {
|
||||
message = label + "," + message;
|
||||
}
|
||||
MSException.throwException(message);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -94,6 +94,9 @@ public class JarConfigService {
|
|||
}
|
||||
|
||||
public String add(JarConfig jarConfig, MultipartFile file) {
|
||||
if (file != null && !file.getOriginalFilename().endsWith(".jar")) {
|
||||
MSException.throwException("上传文件类型错误,请上传正确jar文件");
|
||||
}
|
||||
jarConfig.setId(UUID.randomUUID().toString());
|
||||
jarConfig.setCreator(SessionUtils.getUser().getId());
|
||||
jarConfig.setModifier(SessionUtils.getUser().getId());
|
||||
|
|
@ -126,6 +129,7 @@ public class JarConfigService {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
public String getLogDetails(String id) {
|
||||
JarConfig jarConfig = jarConfigMapper.selectByPrimaryKey(id);
|
||||
if (jarConfig != null) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
exec
|
||||
|
|
@ -0,0 +1 @@
|
|||
exec
|
||||
|
|
@ -0,0 +1 @@
|
|||
os.system
|
||||
Loading…
Reference in New Issue