From 0e461e230b40d8eeae6e2dfbf00ba7b461ddb0a9 Mon Sep 17 00:00:00 2001 From: Jerome Lacoste Date: Tue, 31 Oct 2023 13:27:02 +0100 Subject: [PATCH] SECURITY-1025 protect more paths --- src/main/java/hudson/plugins/batch_task/BatchRun.java | 2 ++ src/main/java/hudson/plugins/batch_task/BatchTask.java | 4 ++++ src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java | 1 + 3 files changed, 7 insertions(+) diff --git a/src/main/java/hudson/plugins/batch_task/BatchRun.java b/src/main/java/hudson/plugins/batch_task/BatchRun.java index d09c828..4657c9c 100644 --- a/src/main/java/hudson/plugins/batch_task/BatchRun.java +++ b/src/main/java/hudson/plugins/batch_task/BatchRun.java @@ -16,6 +16,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.framework.io.LargeText; +import org.kohsuke.stapler.verb.POST; import java.io.File; import java.io.FileOutputStream; @@ -326,6 +327,7 @@ public String getUrlName() { /** * Handles incremental log output. */ + @POST public void doProgressiveLog(StaplerRequest req, StaplerResponse rsp) throws IOException { new LargeText(getLogFile(), !isRunning()).doProgressText(req, rsp); } diff --git a/src/main/java/hudson/plugins/batch_task/BatchTask.java b/src/main/java/hudson/plugins/batch_task/BatchTask.java index 7e87d9a..ee443b3 100644 --- a/src/main/java/hudson/plugins/batch_task/BatchTask.java +++ b/src/main/java/hudson/plugins/batch_task/BatchTask.java @@ -39,6 +39,7 @@ import java.util.regex.Pattern; import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter; +import org.kohsuke.stapler.verb.POST; /** * A batch task. @@ -264,6 +265,7 @@ public Object getDynamic(String token, StaplerRequest req, StaplerResponse rsp) /** * Schedules the execution */ + @POST public synchronized void doExecute( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { getACL().checkPermission(AbstractProject.BUILD); @@ -278,6 +280,7 @@ public synchronized void doExecute( StaplerRequest req, StaplerResponse rsp ) th /** * Deletes this task. */ + @POST public synchronized void doDoDelete(StaplerResponse rsp) throws IOException, ServletException { getACL().checkPermission(AbstractProject.DELETE); @@ -319,6 +322,7 @@ private int[] parse(String num) { private static final Pattern BUILD_NUMBER_PATTERN = Pattern.compile("(\\d+)-(\\d+)"); + @POST public void doCancelQueue(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { checkAbortPermission(); diff --git a/src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java b/src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java index d01e27a..7ec2b6a 100644 --- a/src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java +++ b/src/main/java/hudson/plugins/batch_task/BatchTaskInvoker.java @@ -132,6 +132,7 @@ public String getDisplayName() { return ""; } + @POST public ListBoxModel doFillTaskItems(@QueryParameter String project, @AncestorInPath AbstractProject context) { // when the item is not found, the user should be getting an error from elsewhere. ListBoxModel r = new ListBoxModel();