Skip to content

Commit

Permalink
[SECURITY-992] Fix for security issue
Browse files Browse the repository at this point in the history
  • Loading branch information
Timothy Sotack committed Mar 22, 2019
1 parent 75c7ecd commit e555f8d
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 4 deletions.
6 changes: 3 additions & 3 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>2.11</version>
<version>2.33</version>
<relativePath />
</parent>
<groupId>org.jenkins-ci.plugins</groupId>
Expand All @@ -14,9 +14,9 @@
<packaging>hpi</packaging>

<properties>
<jenkins.version>1.625.3</jenkins.version>
<jenkins.version>2.121.3</jenkins.version>
<java.level>8</java.level>
<jenkins-test-harness.version>2.13</jenkins-test-harness.version>
<jenkins-test-harness.version>2.47</jenkins-test-harness.version>
<disabledTestInjection>true</disabledTestInjection>
</properties>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@
import org.kohsuke.stapler.StaplerRequest;

import java.io.IOException;
import jenkins.model.Jenkins;
import org.jenkinsci.plugins.fodupload.models.FodEnums.GrantType;
import org.kohsuke.stapler.verb.POST;

@Extension
public class FodGlobalDescriptor extends GlobalConfiguration {
Expand Down Expand Up @@ -119,11 +121,13 @@ public boolean getAuthTypeIsPersonalToken()
}

@SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
@POST
public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final String clientId,
@QueryParameter(CLIENT_SECRET) final String clientSecret,
@QueryParameter(BASE_URL) final String baseUrl,
@QueryParameter(API_URL) final String apiUrl)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
FodApiConnection testApi;
if (Utils.isNullOrEmpty(baseUrl))
return FormValidation.error("Fortify on Demand URL is empty!");
Expand All @@ -139,12 +143,14 @@ public FormValidation doTestApiKeyConnection(@QueryParameter(CLIENT_ID) final St

// Form validation
@SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
@POST
public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
@QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
@QueryParameter(TENANT_ID) final String tenantId,
@QueryParameter(BASE_URL) final String baseUrl,
@QueryParameter(API_URL) final String apiUrl)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
FodApiConnection testApi;
if (Utils.isNullOrEmpty(baseUrl))
return FormValidation.error("Fortify on Demand URL is empty!");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,11 @@
import java.io.IOException;
import java.io.PrintStream;
import java.net.URISyntaxException;
import jenkins.model.Jenkins;
import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
import org.jenkinsci.plugins.fodupload.models.FodEnums;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

@SuppressWarnings("unused")
public class PollingBuildStep extends Recorder implements SimpleBuildStep {
Expand Down Expand Up @@ -206,9 +208,9 @@ public String getDisplayName() {
return "Poll Fortify on Demand for Results";
}


public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if(bsiToken != null && !bsiToken.isEmpty() ){
BsiTokenParser tokenParser = new BsiTokenParser();
try{
Expand Down Expand Up @@ -246,10 +248,12 @@ public FormValidation doCheckPollingInterval(@QueryParameter String pollingInter
// Form validation
@SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
@SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
@POST
public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
@QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
@QueryParameter(TENANT_ID) final String tenantId)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
FodApiConnection testApi;
String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
String apiUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,10 @@
import java.io.PrintStream;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import jenkins.model.Jenkins;
import org.jenkinsci.plugins.fodupload.models.AuthenticationModel;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;


@SuppressWarnings("unused")
Expand Down Expand Up @@ -226,6 +228,7 @@ public boolean isApplicable(Class<? extends AbstractProject> aClass) {

public FormValidation doCheckBsiToken(@QueryParameter String bsiToken)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
if(bsiToken != null && !bsiToken.isEmpty() ){
BsiTokenParser tokenParser = new BsiTokenParser();
try{
Expand All @@ -252,10 +255,12 @@ public String getDisplayName() {
// Form validation
@SuppressWarnings({"ThrowableResultOfMethodCallIgnored", "unused"})
@SuppressFBWarnings("NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE")
@POST
public FormValidation doTestPersonalAccessTokenConnection( @QueryParameter(USERNAME) final String username,
@QueryParameter(PERSONAL_ACCESS_TOKEN) final String personalAccessToken,
@QueryParameter(TENANT_ID) final String tenantId)
{
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
FodApiConnection testApi;
String baseUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getBaseUrl();
String apiUrl = GlobalConfiguration.all().get(FodGlobalDescriptor.class).getApiUrl();
Expand Down

0 comments on commit e555f8d

Please sign in to comment.