[SECURITY-529] Fix CSRF vulnerability

src/main/java/org/jenkinsci/plugins/pollscm/PollNowAction.java

@@ -1,7 +1,7 @@
 /*
  * The MIT License
  * 
- * Copyright (c) 2012-2013, Vincent Latombe
+ * Copyright (c) 2012-2017, Vincent Latombe
  * 
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -24,12 +24,24 @@
 package org.jenkinsci.plugins.pollscm;
 
 
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
+
 import hudson.Extension;
 import hudson.model.Action;
 import hudson.model.Item;
+import hudson.security.ACL;
 import hudson.security.Permission;
 import hudson.security.PermissionScope;
 import hudson.triggers.Trigger;
+import jenkins.model.Jenkins;
 import jenkins.model.TransientActionFactory;
 import jenkins.triggers.SCMTriggerItem;
 
@@ -54,7 +66,16 @@ public SCMTriggerItem getOwner() {
     }
 
     public String getIconFileName() {
-        return "/plugin/pollscm/images/24x24/clipboard-play.png";
+        return getACL().hasPermission(POLL) ? "/plugin/pollscm/images/24x24/clipboard-play.png" : null;
+    }
+
+    private ACL getACL() {
+        Jenkins j = Jenkins.getInstance();
+        if (j == null) {
+            throw new IllegalStateException("Jenkins is null");
+        } else {
+            return j.getACL();
+        }
     }
 
     public String getDisplayName() {
@@ -65,6 +86,22 @@ public String getUrlName() {
         return "poll";
     }
 
+    /**
+     * Schedules a new SCM polling command.
+     */
+    @RequirePOST
+    @Restricted(NoExternalUse.class)
+    public void doPolling(StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
+        getACL().checkPermission(POLL);
+        Trigger trigger = getTrigger();
+        if (trigger != null) {
+            trigger.run();
+        } else {
+            throw new IllegalStateException("Trigger is null");
+        }
+        rsp.sendRedirect(".");
+    }
+
     @Extension
     public static class TransientProjectActionFactoryImpl extends TransientActionFactory<SCMTriggerItem> {
 

src/main/resources/org/jenkinsci/plugins/pollscm/PollNowAction/action.jelly

@@ -1,7 +1,7 @@
 <!--
 The MIT License
 
-Copyright (c) 2012, Vincent Latombe
+Copyright (c) 2012-2017, Vincent Latombe
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -27,10 +27,17 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <j:if test="${h.hasPermission(it,action.POLL)}">
-    <j:if test="${action.iconFileName!=null}">
-      <l:task icon="${h.getIconFilePath(action)}" title="${action.displayName}"
-        href="${h.getActionUrl(it.url,action)}" />
+    <j:set var="icon" value="${action.iconClassName != null ? action.iconClassName + ' icon-md' : action.iconFileName}"/>
+    <j:if test="${icon!=null}">
+        <j:set var="id" value="${h.generateId()}"/>
+        <l:task icon="${icon}" title="${action.displayName}"
+                href="${h.getActionUrl(it.url,action)}/polling" onclick="${'return poll_' + id + '(this)'}" post="true"/>
+        <script>
+            function poll_${id}(a) {
+                new Ajax.Request(a.href);
+                hoverNotification('${%Poll scheduled}',a.parentNode);
+                return false;
+            }
+        </script>
     </j:if>
-  </j:if>
-</j:jelly>
+</j:jelly>