From 497a143d9a95e9c937501ca329fe0dae22a0d9cd Mon Sep 17 00:00:00 2001 From: Paul-Adrian-Tofan Date: Tue, 30 Mar 2021 17:33:03 +0300 Subject: [PATCH] [SECURITY-2132] --- .../automation/tools/octane/actions/PluginActions.java | 5 +++++ .../tools/settings/AlmServerSettingsGlobalConfiguration.java | 4 ++++ .../settings/OctaneServerSettingsGlobalConfiguration.java | 4 ++++ .../tools/settings/SvServerSettingsGlobalConfiguration.java | 4 ++++ .../AlmServerSettingsGlobalConfiguration/config.jelly | 2 +- 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java b/src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java index 7c1864550e..5b1c301d0d 100644 --- a/src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java +++ b/src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java @@ -35,6 +35,7 @@ import com.microfocus.application.automation.tools.octane.configuration.ConfigurationService; import hudson.Extension; import hudson.model.RootAction; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.apache.http.entity.ContentType; import org.kohsuke.stapler.StaplerRequest; @@ -84,6 +85,7 @@ public String getUrlName() { public void doDynamic(StaplerRequest req, StaplerResponse res) throws IOException { + Jenkins.get().checkPermission(Jenkins.READ); res.setHeader(CONTENT_TYPE, ContentType.TEXT_PLAIN.getMimeType()); res.setStatus(200); if (req.getRequestURI().toLowerCase().contains(STATUS_REQUEST)) { @@ -91,12 +93,15 @@ public void doDynamic(StaplerRequest req, StaplerResponse res) throws IOExceptio res.setHeader(CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType()); res.getWriter().write(result.toString()); } else if (req.getRequestURI().toLowerCase().contains(REENQUEUE_EVENT_REQUEST)) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); reEnqueueEvent(req.getParameterMap()); res.getWriter().write("resent"); } else if (req.getRequestURI().toLowerCase().contains(CLEAR_JOB_LIST_CACHE)) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); resetJobListCache(); res.getWriter().write("done"); } else if (req.getRequestURI().toLowerCase().contains(CLEAR_OCTANE_ROOTS_CACHE)) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); resetOctaneRootsCache(); res.getWriter().write("done"); } else if (req.getRequestURI().toLowerCase().contains(OCTANE_ROOTS_CACHE)) { diff --git a/src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java b/src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java index c771190872..e29ae2edc4 100644 --- a/src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java +++ b/src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java @@ -37,12 +37,14 @@ import hudson.XmlFile; import hudson.util.FormValidation; import jenkins.model.GlobalConfiguration; +import jenkins.model.Jenkins; import net.sf.json.JSONArray; import net.sf.json.JSONObject; import org.apache.commons.lang.StringUtils; import org.apache.logging.log4j.Logger; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import java.io.IOException; import java.io.Serializable; @@ -125,7 +127,9 @@ public boolean configure(StaplerRequest req, JSONObject formData) throws FormExc return super.configure(req, formData); } + @RequirePOST public FormValidation doCheckAlmServerUrl(@QueryParameter String value) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); return checkQcServerURL(value, false); } diff --git a/src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java b/src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java index 14a093c13d..b6a0db75ea 100644 --- a/src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java +++ b/src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java @@ -48,6 +48,7 @@ import hudson.util.FormValidation; import hudson.util.Secret; import jenkins.model.GlobalConfiguration; +import jenkins.model.Jenkins; import net.sf.json.JSONArray; import net.sf.json.JSONObject; import org.apache.commons.lang.StringEscapeUtils; @@ -55,6 +56,7 @@ import org.apache.logging.log4j.Logger; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import java.io.Serializable; import java.util.*; @@ -347,6 +349,7 @@ private void fireOnChanged(OctaneServerSettingsModel newConf, OctaneServerSettin } } + @RequirePOST @SuppressWarnings("unused") public FormValidation doTestConnection(StaplerRequest req, @QueryParameter("uiLocation") String uiLocation, @@ -357,6 +360,7 @@ public FormValidation doTestConnection(StaplerRequest req, @QueryParameter("workspace2ImpersonatedUserConf") String workspace2ImpersonatedUserConf, @QueryParameter("parameters") String parameters ) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); String myImpersonatedUser = StringUtils.trim(impersonatedUser); String myUsername = StringUtils.trim(username); OctaneUrlParser octaneUrlParser; diff --git a/src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java b/src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java index 4594e22245..6d6e7d1b7d 100644 --- a/src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java +++ b/src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java @@ -38,10 +38,12 @@ import hudson.XmlFile; import hudson.util.FormValidation; import jenkins.model.GlobalConfiguration; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import java.io.Serializable; import java.net.MalformedURLException; @@ -135,10 +137,12 @@ public FormValidation doCheckPassword(@QueryParameter String value, @QueryParame return FormValidation.ok(); } + @RequirePOST @SuppressWarnings("unused") public FormValidation doTestConnection(@QueryParameter("url") final String url, @QueryParameter("username") final String username, @QueryParameter("password") final String password) { try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); Credentials credentials = (!StringUtils.isBlank(username)) ? new Credentials(username, password) : null; ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), credentials); ServerInfo serverInfo = commandExecutor.getClient().getServerInfo(); diff --git a/src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly b/src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly index 8d7e1efb41..d88351c89a 100644 --- a/src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly +++ b/src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly @@ -50,7 +50,7 @@ - +