SECURITY-2137

jenkinsci · Jan 16, 2023 · 691d76f · 691d76f
1 parent 73c5e81
commit 691d76f
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 7 deletions.
diff --git a/src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritManagement.java b/src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/GerritManagement.java
@@ -168,6 +168,7 @@ public static DescriptorExtensionList<GerritServer, GerritServer.DescriptorImpl>
          * @return the list of server names, depending on the current value in the textbox.
          */
         public AutoCompletionCandidates doAutoCompleteCopyNewItemFrom(@QueryParameter final String value) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             final AutoCompletionCandidates r = new AutoCompletionCandidates();
 
             PluginImpl plugin = PluginImpl.getInstance();

diff --git a/...com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerDescriptor.java b/...com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerDescriptor.java
@@ -171,9 +171,15 @@ public FormValidation doCheckDependencyJobsNames(@AncestorInPath Item project, @
     /**
      * Fill the server dropdown with the list of servers configured globally.
      *
+     * @param project the current project.
      * @return list of servers.
      */
-    public ListBoxModel doFillServerNameItems() {
+    public ListBoxModel doFillServerNameItems(@AncestorInPath Item project) {
+        if (project == null) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+        } else {
+            project.checkPermission(Item.CONFIGURE);
+        }
         ListBoxModel items = new ListBoxModel();
         items.add(Messages.AnyServer(), ANY_SERVER);
         List<String> serverNames = PluginImpl.getServerNames_();

diff --git a/...com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAction.java b/...com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAction.java
@@ -32,8 +32,12 @@
 import com.sonyericsson.hudson.plugins.gerrit.trigger.hudsontrigger.data.TriggeredItemEntity;
 import hudson.model.Action;
 import java.io.IOException;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import static com.sonyericsson.hudson.plugins.gerrit.trigger.utils.StringUtil.getPluginImageUrl;
 
@@ -108,7 +112,8 @@ private boolean isBuilding() {
      * checks if the current user has permission to build/retrigger the project.
      * @return true if so.
      */
-    private boolean hasPermission() {
+    @Restricted(NoExternalUse.class)
+    public boolean hasPermission() {
         if (context == null || context.getThisBuild() == null || context.getThisBuild().getProject() == null) {
             return false;
         } else {
@@ -122,6 +127,7 @@ private boolean hasPermission() {
      * @param response StaplerResponse the response handler.
      * @throws IOException in case of Stapler issues
      */
+    @POST
     public void doIndex(StaplerRequest request, StaplerResponse response) throws IOException {
 
         if (context == null || context.getThisBuild() == null) {

diff --git a/.../sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAllAction.java b/.../sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAllAction.java
@@ -35,8 +35,11 @@
 import java.io.IOException;
 
 import hudson.model.Job;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import static com.sonyericsson.hudson.plugins.gerrit.trigger.utils.StringUtil.getPluginImageUrl;
 
@@ -95,7 +98,8 @@ public String getUrlName() {
      * It does a null check on the context before calling.
      * @return true if there are any other builds in the context.
      */
-    private boolean hasOthers() {
+    @Restricted(NoExternalUse.class)
+    public boolean hasOthers() {
         if (context != null) {
             return context.hasOthers();
         } else {
@@ -125,7 +129,8 @@ private boolean isBuilding() {
      * checks if the current user has permission to build/retrigger this and the other projects.
      * @return true if so.
      */
-    private boolean hasPermission() {
+    @Restricted(NoExternalUse.class)
+    public boolean hasPermission() {
         if (context == null || context.getThisBuild() == null || context.getThisBuild().getProject() == null) {
             return false;
         }
@@ -147,6 +152,7 @@ private boolean hasPermission() {
      * @param response StaplerResponse the response handler.
      * @throws IOException in case of Stapler issues
      */
+    @POST
     public void doIndex(StaplerRequest request, StaplerResponse response) throws IOException {
 
         if (context == null || context.getThisBuild() == null) {

diff --git a/...csson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/manual/ManualTriggerAction.java b/...csson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/manual/ManualTriggerAction.java
@@ -49,6 +49,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -306,11 +307,11 @@ public String toReadableHtml(String subject) {
      */
     @SuppressWarnings("unused")
     //Called from jelly
+    @POST
     public void doGerritSearch(@QueryParameter("queryString") final String queryString,
         @QueryParameter("selectedServer") final String selectedServer,
         @QueryParameter("allPatchSets") final boolean allPatchSets, StaplerRequest request,
                                StaplerResponse response) throws IOException {
-
         HttpSession session = request.getSession();
         // Create session if nothing.
         if (session == null) {
@@ -368,9 +369,9 @@ public void doGerritSearch(@QueryParameter("queryString") final String queryStri
      */
     @SuppressWarnings("unused")
     //Called from jelly
+    @POST
     public void doBuild(@QueryParameter("selectedIds") String selectedIds, StaplerRequest request,
                         StaplerResponse response) throws IOException {
-
         HttpSession session = request.getSession();
         if (session == null) {
             logger.debug("Session alreay closed.");

diff --git a/...java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/GerritProject.java b/...java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/GerritProject.java
@@ -29,6 +29,7 @@
 import hudson.RelativePath;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.util.ComboBoxModel;
 
 import java.util.ArrayList;
@@ -39,6 +40,7 @@
 import java.util.function.Supplier;
 
 import jenkins.model.Jenkins;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 
@@ -326,11 +328,17 @@ public static final class DescriptorImpl extends Descriptor<GerritProject> {
          * Used to fill the project pattern combobox with AJAX.
          * The filled values will depend on the server that the user has chosen from the dropdown.
          *
+         * @param project the current project.
          * @param serverName the name of the server that the user has chosen.
          * @return ComboBoxModels containing a list of all Gerrit Projects found on that server.
          */
-        public ComboBoxModel doFillPatternItems(@QueryParameter("serverName")
+        public ComboBoxModel doFillPatternItems(@AncestorInPath Item project, @QueryParameter("serverName")
                 @RelativePath("..") final String serverName) {
+            if (project == null) {
+                Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            } else {
+                project.checkPermission(Item.CONFIGURE);
+            }
             Collection<String> projects = new HashSet<String>();
 
             if (serverName != null && !serverName.isEmpty()) {

diff --git a/...ericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAction/action.jelly b/...ericsson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAction/action.jelly
@@ -0,0 +1,9 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
+    <j:if test="${action.hasPermission()}">
+        <l:task icon="${action.iconFileName}" title="${action.displayName}"
+                href="${rootURL}/${it.url}${action.urlName}/index"
+                post="true"
+        />
+    </j:if>
+</j:jelly>
diff --git a/...csson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAllAction/action.jelly b/...csson/hudson/plugins/gerrit/trigger/hudsontrigger/actions/RetriggerAllAction/action.jelly
@@ -0,0 +1,9 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout" xmlns:st="jelly:stapler">
+    <j:if test="${action.hasPermission() &amp;&amp; action.hasOthers()}">
+        <l:task icon="${action.iconFileName}" title="${action.displayName}"
+                href="${rootURL}/${it.url}${action.urlName}/index"
+                post="true"
+        />
+    </j:if>
+</j:jelly>