[SECURITY-3088]

src/main/java/hudson/plugins/emailext/EmailExtTemplateAction.java

@@ -6,6 +6,7 @@
 import hudson.model.AbstractBuild;
 import hudson.model.AbstractProject;
 import hudson.model.Action;
+import hudson.model.Item;
 import hudson.plugins.emailext.plugins.content.AbstractEvalContent;
 import hudson.plugins.emailext.plugins.content.JellyScriptContent;
 import hudson.plugins.emailext.plugins.content.ScriptContent;
@@ -59,10 +60,20 @@ private String renderError(Exception ex) {
                 + "</span>";
     }
 
+    @SuppressWarnings("lgtm[jenkins/csrf]")
     public FormValidation doTemplateFileCheck(@QueryParameter final String value) {
+        // See src/main/resources/hudson/plugins/emailext/EmailExtTemplateAction/{index,action}.groovy
+        if (Jenkins.get()
+                .getDescriptorByType(ExtendedEmailPublisherDescriptor.class)
+                .isAdminRequiredForTemplateTesting()) {
+            Jenkins.get().checkPermission(Jenkins.MANAGE);
+        } else {
+            project.checkPermission(Item.CONFIGURE);
+        }
+
         if (!StringUtils.isEmpty(value)) {
             if (value.startsWith("managed:")) {
-                return checkForManagedFile(value);
+                return checkForManagedFile(StringUtils.removeStart(value, "managed:"));
             } else {
                 // first check in the default resources area...
                 InputStream inputStream = Thread.currentThread()

src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java

@@ -683,6 +683,7 @@ private void executePostsendScript(
         executeScript(postsendScript, "post-send", context, msg, session, transport);
     }
 
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     private boolean executeScript(
             String rawScript,
             String scriptName,

src/main/java/hudson/plugins/emailext/ExtendedEmailPublisherDescriptor.java

@@ -509,6 +509,7 @@ public void setDefaultContentType(String contentType) {
         }
     }
 
+    @SuppressWarnings({"lgtm[jenkins/csrf]", "lgtm[jenkins/no-permission-check]"})
     public FormValidation doCheckDefaultSuffix(@QueryParameter String value) {
         if (value.matches("@[A-Za-z0-9.\\-]+") || Util.fixEmptyAndTrim(value) == null) {
             return FormValidation.ok();
@@ -781,7 +782,7 @@ public void setDefaultTriggerIds(List<String> triggerIds) {
         defaultTriggerIds = triggerIds;
     }
 
-    @SuppressWarnings("unused")
+    @SuppressWarnings({"lgtm[jenkins/csrf]", "lgtm[jenkins/no-permission-check]", "unused"})
     public ListBoxModel doFillDefaultContentTypeItems() {
         ListBoxModel items = new ListBoxModel();
         items.add(Messages.contentType_plainText(), "text/plain");
@@ -808,6 +809,7 @@ public String getHelpFile() {
         return "/plugin/email-ext/help/main.html";
     }
 
+    @SuppressWarnings({"lgtm[jenkins/csrf]", "lgtm[jenkins/no-permission-check]"})
     public FormValidation doAddressCheck(@QueryParameter final String value) {
         try {
             new InternetAddress(value);
@@ -817,10 +819,12 @@ public FormValidation doAddressCheck(@QueryParameter final String value) {
         }
     }
 
+    @SuppressWarnings({"lgtm[jenkins/csrf]", "lgtm[jenkins/no-permission-check]"})
     public FormValidation doRecipientListRecipientsCheck(@QueryParameter final String value) {
         return new EmailRecipientUtils().validateFormRecipientList(value);
     }
 
+    @SuppressWarnings({"lgtm[jenkins/csrf]", "lgtm[jenkins/no-permission-check]"})
     public FormValidation doMaxAttachmentSizeCheck(@QueryParameter final String value) {
         try {
             String testValue = value.trim();

src/main/java/hudson/plugins/emailext/MailAccount.java

@@ -104,7 +104,7 @@ public String getDisplayName() {
             return "";
         }
 
-        @SuppressWarnings("unused") // Used by stapler
+        @SuppressWarnings({"lgtm[jenkins/csrf]", "unused"}) // Used by stapler
         public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryParameter String credentialsId) {
 
             final StandardListBoxModel result = new StandardListBoxModel();
@@ -127,6 +127,7 @@ public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryPa
                     .includeCurrentValue(credentialsId);
         }
 
+        @SuppressWarnings("lgtm[jenkins/csrf]")
         public FormValidation doCheckCredentialsId(@AncestorInPath Item item, @QueryParameter String value) {
             if (item == null) {
                 if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {

src/main/java/hudson/plugins/emailext/groovy/sandbox/SimpleTemplateEngine.java

@@ -121,6 +121,7 @@ public class SimpleTemplateEngine extends TemplateEngine {
     protected final GroovyShell groovyShell;
     private final boolean sandbox;
 
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     public SimpleTemplateEngine(GroovyShell groovyShell, boolean sandbox) {
         this.groovyShell = groovyShell;
         this.sandbox = sandbox;
@@ -137,6 +138,7 @@ public Template createTemplate(Reader reader, String fileName) throws Compilatio
         return template;
     }
 
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     protected Script parseScript(Reader reader, String fileName) throws CompilationFailedException, IOException {
         String script = parse(reader);
         if (LOGGER.isLoggable(Level.FINE)) {

src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java

@@ -117,6 +117,7 @@ protected Class<? extends ConfigProvider> getProviderClass() {
      * @param templateStream the template file stream
      * @return the rendered template content
      */
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     private String renderTemplate(
             Run<?, ?> build, FilePath workspace, TaskListener listener, InputStream templateStream) {
 
@@ -200,6 +201,7 @@ private String renderTemplate(
      * @param scriptStream the script input stream
      * @return a String containing the toString of the last item in the script
      */
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     private String executeScript(Run<?, ?> build, FilePath workspace, TaskListener listener, InputStream scriptStream)
             throws IOException {
         String result = "";
@@ -262,6 +264,7 @@ private String executeScript(Run<?, ?> build, FilePath workspace, TaskListener l
      * @param variables user variables to be added to the Groovy context
      * @return a GroovyShell instance
      */
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     private GroovyShell createEngine(
             ExtendedEmailPublisherDescriptor descriptor, Map<String, Object> variables, boolean secure) {
 

src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java

@@ -164,6 +164,7 @@ public boolean trigger(AbstractBuild<?, ?> build, TaskListener listener) {
         return result;
     }
 
+    @SuppressWarnings("lgtm[jenkins/unsafe-classes]")
     private Object evaluate(AbstractBuild<?, ?> build, TaskListener listener) throws IOException {
         ClassLoader loader = Jenkins.get().getPluginManager().uberClassLoader;
         JenkinsLocationConfiguration configuration = JenkinsLocationConfiguration.get();

src/main/java/hudson/plugins/emailext/watching/EmailExtWatchAction.java

@@ -4,9 +4,11 @@
 import hudson.Extension;
 import hudson.model.AbstractProject;
 import hudson.model.Action;
+import hudson.model.Item;
 import hudson.model.User;
 import hudson.model.UserPropertyDescriptor;
 import hudson.plugins.emailext.ExtendedEmailPublisher;
+import hudson.plugins.emailext.ExtendedEmailPublisherDescriptor;
 import hudson.plugins.emailext.plugins.EmailTrigger;
 import hudson.tasks.Mailer;
 import hudson.tasks.Publisher;
@@ -15,11 +17,13 @@
 import java.util.Collections;
 import java.util.List;
 import javax.servlet.ServletException;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 /**
  *
@@ -149,9 +153,16 @@ public ExtendedEmailPublisher getPublisher() {
         return p;
     }
 
+    @POST
     public void doStopWatching(StaplerRequest req, StaplerResponse rsp) throws IOException {
+        // See src/main/resources/hudson/plugins/emailext/watching/EmailExtWatchAction/{index,jobMain}.groovy
         User user = User.current();
-        if (user != null) {
+        if (user != null
+                && Jenkins.get()
+                        .getDescriptorByType(ExtendedEmailPublisherDescriptor.class)
+                        .isWatchingEnabled()) {
+            project.checkPermission(Item.READ);
+
             stopWatching();
             for (hudson.model.UserProperty property : user.getAllProperties()) {
                 if (property instanceof EmailExtWatchAction.UserProperty) {
@@ -165,8 +176,14 @@ public void doStopWatching(StaplerRequest req, StaplerResponse rsp) throws IOExc
 
     @RequirePOST
     public void doConfigSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+        // See src/main/resources/hudson/plugins/emailext/watching/EmailExtWatchAction/{index,jobMain}.groovy
         User user = User.current();
-        if (user != null) {
+        if (user != null
+                && Jenkins.get()
+                        .getDescriptorByType(ExtendedEmailPublisherDescriptor.class)
+                        .isWatchingEnabled()) {
+            project.checkPermission(Item.READ);
+
             Object json = req.getSubmittedForm().get("triggers");
             List<EmailTrigger> triggers = req.bindJSONToList(EmailTrigger.class, json);