Skip to content

Commit

Permalink
[SECURITY-2132]
Browse files Browse the repository at this point in the history
  • Loading branch information
Paul-Adrian-Tofan committed Mar 30, 2021
1 parent 9f73372 commit 497a143
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 1 deletion.
5 changes: 5 additions & 0 deletions src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java
View file
Expand Up @@ -35,6 +35,7 @@
import com.microfocus.application.automation.tools.octane.configuration.ConfigurationService;
import hudson.Extension;
import hudson.model.RootAction;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
import org.apache.http.entity.ContentType;
import org.kohsuke.stapler.StaplerRequest;
Expand Down Expand Up @@ -84,19 +85,23 @@ public String getUrlName() {

public void doDynamic(StaplerRequest req, StaplerResponse res) throws IOException {

Jenkins.get().checkPermission(Jenkins.READ);
res.setHeader(CONTENT_TYPE, ContentType.TEXT_PLAIN.getMimeType());
res.setStatus(200);
if (req.getRequestURI().toLowerCase().contains(STATUS_REQUEST)) {
JSONObject result = getStatusResult(req.getParameterMap());
res.setHeader(CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType());
res.getWriter().write(result.toString());
} else if (req.getRequestURI().toLowerCase().contains(REENQUEUE_EVENT_REQUEST)) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
reEnqueueEvent(req.getParameterMap());
res.getWriter().write("resent");
} else if (req.getRequestURI().toLowerCase().contains(CLEAR_JOB_LIST_CACHE)) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
resetJobListCache();
res.getWriter().write("done");
} else if (req.getRequestURI().toLowerCase().contains(CLEAR_OCTANE_ROOTS_CACHE)) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
resetOctaneRootsCache();
res.getWriter().write("done");
} else if (req.getRequestURI().toLowerCase().contains(OCTANE_ROOTS_CACHE)) {
Expand Down
4 changes: 4 additions & 0 deletions ...icrofocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java
View file
Expand Up @@ -37,12 +37,14 @@
import hudson.XmlFile;
import hudson.util.FormValidation;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.Logger;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.interceptor.RequirePOST;

import java.io.IOException;
import java.io.Serializable;
Expand Down Expand Up @@ -125,7 +127,9 @@ public boolean configure(StaplerRequest req, JSONObject formData) throws FormExc
return super.configure(req, formData);
}

@RequirePOST
public FormValidation doCheckAlmServerUrl(@QueryParameter String value) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
return checkQcServerURL(value, false);
}

Expand Down
4 changes: 4 additions & 0 deletions ...ofocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java
View file
Expand Up @@ -48,13 +48,15 @@
import hudson.util.FormValidation;
import hudson.util.Secret;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.Logger;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.interceptor.RequirePOST;

import java.io.Serializable;
import java.util.*;
Expand Down Expand Up @@ -347,6 +349,7 @@ private void fireOnChanged(OctaneServerSettingsModel newConf, OctaneServerSettin
}
}

@RequirePOST
@SuppressWarnings("unused")
public FormValidation doTestConnection(StaplerRequest req,
@QueryParameter("uiLocation") String uiLocation,
Expand All @@ -357,6 +360,7 @@ public FormValidation doTestConnection(StaplerRequest req,
@QueryParameter("workspace2ImpersonatedUserConf") String workspace2ImpersonatedUserConf,
@QueryParameter("parameters") String parameters
) {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
String myImpersonatedUser = StringUtils.trim(impersonatedUser);
String myUsername = StringUtils.trim(username);
OctaneUrlParser octaneUrlParser;
Expand Down
4 changes: 4 additions & 0 deletions ...microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java
View file
Expand Up @@ -38,10 +38,12 @@
import hudson.XmlFile;
import hudson.util.FormValidation;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.interceptor.RequirePOST;

import java.io.Serializable;
import java.net.MalformedURLException;
Expand Down Expand Up @@ -135,10 +137,12 @@ public FormValidation doCheckPassword(@QueryParameter String value, @QueryParame
return FormValidation.ok();
}

@RequirePOST
@SuppressWarnings("unused")
public FormValidation doTestConnection(@QueryParameter("url") final String url, @QueryParameter("username") final String username,
@QueryParameter("password") final String password) {
try {
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
Credentials credentials = (!StringUtils.isBlank(username)) ? new Credentials(username, password) : null;
ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), credentials);
ServerInfo serverInfo = commandExecutor.getClient().getServerInfo();
Expand Down
2 changes: 1 addition & 1 deletion ...s/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly
View file
Expand Up @@ -50,7 +50,7 @@
</f:entry>

<f:entry title="${%ALM server URL}" field="almServerUrl">
<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" />
<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" checkMethod="post" />
</f:entry>

<f:entry>
Expand Down

0 comments on commit 497a143

Please sign in to comment.