diff --git a/echo-pipelinetriggers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessor.java b/echo-pipelinetriggers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessor.java index a3cb0d475..a0069f6bd 100644 --- a/echo-pipelinetriggers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessor.java +++ b/echo-pipelinetriggers/src/main/java/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessor.java @@ -3,9 +3,14 @@ import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; import com.netflix.spinnaker.echo.model.Pipeline; +import com.netflix.spinnaker.echo.model.Trigger; +import com.netflix.spinnaker.echo.model.WebhookContent; +import com.netflix.spinnaker.echo.model.trigger.TriggerEvent; +import com.netflix.spinnaker.kork.artifacts.model.Artifact; import com.netflix.spinnaker.kork.artifacts.model.ExpectedArtifact; import com.netflix.spinnaker.kork.expressions.ExpressionEvaluationSummary; import com.netflix.spinnaker.kork.expressions.ExpressionTransform; +import com.netflix.spinnaker.kork.expressions.ExpressionsSupport; import com.netflix.spinnaker.kork.expressions.config.ExpressionProperties; import java.util.Collections; import java.util.List; @@ -18,7 +23,6 @@ import org.springframework.expression.common.TemplateParserContext; import org.springframework.expression.spel.SpelParserConfiguration; import org.springframework.expression.spel.standard.SpelExpressionParser; -import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.stereotype.Component; /** @@ -30,10 +34,24 @@ public class ExpectedArtifactExpressionEvaluationPostProcessor implements Pipeli private final ObjectMapper mapper; private final ExpressionParser parser; private final ParserContext parserContext = new TemplateParserContext("${", "}"); + private final ExpressionsSupport expressionsSupport; public ExpectedArtifactExpressionEvaluationPostProcessor( ObjectMapper mapper, ExpressionProperties expressionProperties) { this.mapper = mapper; + this.expressionsSupport = + new ExpressionsSupport( + new Class[] { + Artifact.class, + ExpectedArtifact.class, + Pipeline.class, + WebhookContent.class, + TriggerEvent.class, + Trigger.class + }, + null, + null, + expressionProperties); parser = new SpelExpressionParser( expressionProperties.getMaxExpressionLength() > 0 @@ -44,7 +62,8 @@ public ExpectedArtifactExpressionEvaluationPostProcessor( @Override public Pipeline processPipeline(Pipeline inputPipeline) { - EvaluationContext evaluationContext = new StandardEvaluationContext(inputPipeline); + EvaluationContext evaluationContext = + expressionsSupport.buildEvaluationContext(inputPipeline, false); List expectedArtifacts = inputPipeline.getExpectedArtifacts(); if (expectedArtifacts == null) { diff --git a/echo-pipelinetriggers/src/test/groovy/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessorSpec.groovy b/echo-pipelinetriggers/src/test/groovy/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessorSpec.groovy index 17dcc2a55..816e16c20 100644 --- a/echo-pipelinetriggers/src/test/groovy/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessorSpec.groovy +++ b/echo-pipelinetriggers/src/test/groovy/com/netflix/spinnaker/echo/pipelinetriggers/postprocessors/ExpectedArtifactExpressionEvaluationPostProcessorSpec.groovy @@ -1,6 +1,5 @@ package com.netflix.spinnaker.echo.pipelinetriggers.postprocessors -import com.fasterxml.jackson.databind.ObjectMapper import com.netflix.spinnaker.echo.jackson.EchoObjectMapper import com.netflix.spinnaker.echo.model.Trigger import com.netflix.spinnaker.echo.test.RetrofitStubs @@ -101,4 +100,24 @@ class ExpectedArtifactExpressionEvaluationPostProcessorSpec extends Specificatio evaluatedArtifact.name == '{foo=bar}' evaluatedArtifact.version == '77' } + def 'block arbitrary java objects like process runners from resolving'() { + given: + def artifact = ExpectedArtifact.builder() + .matchArtifact( + Artifact.builder() + .name('${ new java.lang.ProcessBuilder("echo", "bob", ">", "/tmp/bad-process.txt").start().toString() }') + .version('77') + .type('maven/file') + .build()) + .id('goodId') + .build() + def inputPipeline = createPipelineWith([artifact], trigger).withTrigger(trigger) + + when: + def outputPipeline = artifactPostProcessor.processPipeline(inputPipeline) + def evaluatedArtifact = outputPipeline.expectedArtifacts[0].matchArtifact + + then: + evaluatedArtifact.name == '${ new java.lang.ProcessBuilder("echo", "bob", ">", "/tmp/bad-process.txt").start().toString() }' + } }