security-727(2)/CVE-2019-16545 issue resolved

jenkinsci · Feb 12, 2020 · 6711f56 · 6711f56
1 parent bf472cf
commit 6711f56
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 33 deletions.
diff --git a/src/main/java/com/qmetry/QTM4JResultPublisher.java b/src/main/java/com/qmetry/QTM4JResultPublisher.java
@@ -91,7 +91,7 @@ public class QTM4JResultPublisher extends Recorder implements SimpleBuildStep {
 	 private String jiraurlserver;
 	 private String proxyUrl;
      private String username;
-     private String password;
+     private Secret password;
      private String testrunnameserver;
 	 private String testrunkeyserver;
 	 private String testassethierarchyserver;
@@ -195,13 +195,21 @@ public void setUsername(String username) {
 		this.username = username;
 	}
 
-	public String getPassword() throws AbortException{
-		return Secret.toString(Secret.fromString(password));
-	}
+	// public String getPassword() throws AbortException{
+	// 	return Secret.toString(Secret.fromString(password));
+	// }
 
-	public void setPassword(String password) {
-		this.password = Secret.fromString(password).getEncryptedValue();
-	}
+	// public void setPassword(String password) {
+	// 	this.password = Secret.fromString(password).getEncryptedValue();
+	// }
+
+	public void setPassword(Secret password) { 
+        this.password = password;
+    }
+
+    public Secret getPassword() {
+        return password;
+    }
 
 	public String getTestrunnameserver() {
 		return testrunnameserver;
@@ -405,7 +413,7 @@ public QTM4JResultPublisher(){
     @DataBoundConstructor
     public QTM4JResultPublisher(String name,String apikey, String file, boolean attachFile, String testrunname, 
     		String labels, String sprint, String version, String component, String format, String platform, String comment,
-    		String apikeyserver, String jiraurlserver, String proxyUrl, String password, String testrunnameserver,
+    		String apikeyserver, String jiraurlserver, String proxyUrl, Secret password, String testrunnameserver,
     		String labelsserver, String sprintserver, String versionserver, 
     		String componentserver, String username, String fileserver, boolean attachFileServer, String formatserver, String platformserver, String commentserver,
     		String testToRun,String testrunkey,String testassethierarchy, String testCaseUpdateLevel, String jirafields,String testrunkeyserver,String testassethierarchyserver, String testCaseUpdateLevelServer, String jirafieldsserver,boolean disableaction) throws AbortException{
@@ -445,12 +453,12 @@ public QTM4JResultPublisher(String name,String apikey, String file, boolean atta
 		this.jiraurlserver=jiraurlserver;
 		this.proxyUrl = proxyUrl;
 
-		if(password != null && !password.isEmpty())
-		{
-			Secret p = Secret.fromString(password);
-			this.password=p.getEncryptedValue();
-		}
-
+		// if(password != null && !password.isEmpty())
+		// {
+		// 	Secret p = Secret.fromString(password);
+		// 	this.password=p.getEncryptedValue();
+		// }
+		this.password = password;
 		this.testrunnameserver=testrunnameserver;
         this.labelsserver=labelsserver;
         this.sprintserver=sprintserver;

diff --git a/src/main/java/com/qmetry/TestReportDeployPublisher.java b/src/main/java/com/qmetry/TestReportDeployPublisher.java
@@ -93,7 +93,7 @@ public class TestReportDeployPublisher extends Recorder implements SimpleBuildSt
 	private String jiraurlserver;
 	private String proxyUrl;
 	private String username;
-	private String password;
+	private Secret password;
 	private String testrunnameserver;
 	private String testrunkeyserver;
 	private String testassethierarchyserver;
@@ -196,13 +196,21 @@ public void setUsername(String username) {
 		this.username = username;
 	}
 
-	public String getPassword() throws AbortException {
-		return Secret.toString(Secret.fromString(password));
-	}
+	// public String getPassword() throws AbortException {
+	// 	return Secret.toString(Secret.fromString(password));
+	// }
 
-	public void setPassword(String password) {
-		this.password = Secret.fromString(password).getEncryptedValue();
-	}
+	// public void setPassword(String password) {
+	// 	this.password = Secret.fromString(password).getEncryptedValue();
+	// }
+
+	public void setPassword(Secret password) { 
+        this.password = password;
+    }
+
+    public Secret getPassword() {
+        return password;
+    }
 
 	public String getTestrunnameserver() {
 		return testrunnameserver;
@@ -396,7 +404,7 @@ public TestReportDeployPublisher() {
 	@DataBoundConstructor
 	public TestReportDeployPublisher(String name, String apikey, String file, boolean attachFile, String testrunname,
 			String labels, String sprint, String version, String component, String format, String platform,
-			String comment, String apikeyserver, String jiraurlserver, String proxyUrl, String password,
+			String comment, String apikeyserver, String jiraurlserver, String proxyUrl, Secret password,
 			String testrunnameserver, String labelsserver, String sprintserver, String versionserver,
 			String componentserver, String username, String fileserver, boolean attachFileServer, String formatserver,
 			String platformserver, String commentserver, String testToRun, String testrunkey, String testassethierarchy,
@@ -436,11 +444,11 @@ public TestReportDeployPublisher(String name, String apikey, String file, boolea
 		this.jiraurlserver = jiraurlserver;
 		this.proxyUrl = proxyUrl;
 
-		if (password != null && !password.isEmpty()) {
-			Secret p = Secret.fromString(password);
-			this.password = p.getEncryptedValue();
-		}
-
+		// if (password != null && !password.isEmpty()) {
+		// 	Secret p = Secret.fromString(password);
+		// 	this.password = p.getEncryptedValue();
+		// }
+		this.password = password;
 		this.testrunnameserver = testrunnameserver;
 		this.labelsserver = labelsserver;
 		this.sprintserver = sprintserver;
@@ -689,8 +697,8 @@ public void perform(Run<?, ?> run, FilePath workspace, Launcher launcher, TaskLi
 				String jiraurlserver_chkd = env.expand(this.getJiraurlserver());
 				String proxyUrl_chkd = env.expand(this.getProxyUrl());
 				String username_chkd = env.expand(this.getUsername());
-				String password_chkd = env.expand(this.getPassword());
-
+				//Secret password_chkd = env.expand(Secret.toString(Secret.fromString(this.getPassword())));
+				Secret password_chkd = Secret.fromString(env.expand(Secret.toString(this.getPassword())));
 				if (jiraurlserver_chkd == null || jiraurlserver_chkd.isEmpty()) {
 					logger.println("QMetry for JIRA : [ERROR] : Enter JIRA URL for server instance.");
 					throw new AbortException();
@@ -699,7 +707,7 @@ public void perform(Run<?, ?> run, FilePath workspace, Launcher launcher, TaskLi
 					logger.println("QMetry for JIRA : [ERROR] : Enter Username for JIRA server instance.");
 					throw new AbortException();
 				}
-				if (password_chkd == null || password_chkd.isEmpty()) {
+				if (password_chkd == null) {
 					logger.println("QMetry for JIRA : [ERROR] : Enter Password for JIRA server instance.");
 					throw new AbortException();
 				}

diff --git a/src/main/java/com/qmetry/UploadToServer.java b/src/main/java/com/qmetry/UploadToServer.java
@@ -56,12 +56,13 @@
 import hudson.FilePath;
 import hudson.model.Run;
 import hudson.model.TaskListener;
+import hudson.util.Secret;
 
 @IgnoreJRERequirement
 public class UploadToServer {
 
 	public Map<String, String> uploadToTheServer(String apikeyserver, String jiraurlserver, String proxyUrl,
-			String password, String testrunnameserver, String labelsserver, String sprintserver, String versionserver,
+			Secret password, String testrunnameserver, String labelsserver, String sprintserver, String versionserver,
 			String componentserver, String username, String fileserver, boolean attachFileServer,
 			String selectionserver, String platformserver, String commentserver, String testrunkeyserver,
 			String testassethierarchyserver, String testCaseUpdateLevelServer, String jirafieldsserver, int buildnumber,
@@ -74,9 +75,9 @@ public Map<String, String> uploadToTheServer(String apikeyserver, String jiraurl
 			return null;
 		}
 		Map<String, String> map = new HashMap<String, String>();
-
+		//listener.getLogger().println(">>>>>"+password.getPlainText());
 		CloseableHttpClient httpClient = HttpClients.createDefault();
-		String toEncode = username.trim() + ":" + password.trim();
+		String toEncode = username.trim() + ":" + password.getPlainText().trim();
 
 		byte[] mes = toEncode.getBytes("UTF-8");
 		String encodedString = DatatypeConverter.printBase64Binary(mes);