Skip to content

Commit

Permalink
SECURITY-1025 protect more paths
Browse files Browse the repository at this point in the history
  • Loading branch information
@lacostej
lacostej committed Nov 2, 2023
1 parent 41125f6 commit 0e461e2
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/main/java/hudson/plugins/batch_task/BatchRun.java
View file
Expand Up @@ -16,6 +16,7 @@
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.framework.io.LargeText;
import org.kohsuke.stapler.verb.POST;

import java.io.File;
import java.io.FileOutputStream;
Expand Down Expand Up @@ -326,6 +327,7 @@ public String getUrlName() {
/**
* Handles incremental log output.
*/
@POST
public void doProgressiveLog(StaplerRequest req, StaplerResponse rsp) throws IOException {
new LargeText(getLogFile(), !isRunning()).doProgressText(req, rsp);
}
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/hudson/plugins/batch_task/BatchTask.java
View file
Expand Up @@ -39,6 +39,7 @@
import java.util.regex.Pattern;

import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter;
import org.kohsuke.stapler.verb.POST;

/**
* A batch task.
Expand Down Expand Up @@ -264,6 +265,7 @@ public Object getDynamic(String token, StaplerRequest req, StaplerResponse rsp)
/**
* Schedules the execution
*/
@POST
public synchronized void doExecute( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
getACL().checkPermission(AbstractProject.BUILD);

Expand All @@ -278,6 +280,7 @@ public synchronized void doExecute( StaplerRequest req, StaplerResponse rsp ) th
/**
* Deletes this task.
*/
@POST
public synchronized void doDoDelete(StaplerResponse rsp) throws IOException, ServletException {
getACL().checkPermission(AbstractProject.DELETE);

Expand Down Expand Up @@ -319,6 +322,7 @@ private int[] parse(String num) {

private static final Pattern BUILD_NUMBER_PATTERN = Pattern.compile("(\\d+)-(\\d+)");

@POST
public void doCancelQueue(StaplerRequest req, StaplerResponse rsp)
throws IOException, ServletException {
checkAbortPermission();
Expand Down
1 change: 1 addition & 0 deletions src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java
View file
Expand Up @@ -132,6 +132,7 @@ public String getDisplayName() {
return "";
}

@POST
public ListBoxModel doFillTaskItems(@QueryParameter String project, @AncestorInPath AbstractProject context) {
// when the item is not found, the user should be getting an error from elsewhere.
ListBoxModel r = new ListBoxModel();
Expand Down

0 comments on commit 0e461e2

Please sign in to comment.