fix: Stapler: Missing POST/RequirePOST annotation (#277)

jenkinsci · Oct 23, 2022 · eddefb8 · eddefb8
1 parent 6cc620b
commit eddefb8
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 1 deletion.
diff --git a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
@@ -24,6 +24,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import hudson.Extension;
 import hudson.ProxyConfiguration;
 import hudson.model.AbstractDescribableImpl;
@@ -192,6 +193,7 @@ public String getDisplayName() {
             return "";
         }
 
+        @RequirePOST
         public FormValidation doTestIdpMetadata(@QueryParameter("xml") String xml) {
             if (StringUtils.isBlank(xml)) {
                 return FormValidation.error(ERROR_IDP_METADATA_EMPTY);
@@ -200,10 +202,12 @@ public FormValidation doTestIdpMetadata(@QueryParameter("xml") String xml) {
             return new SamlValidateIdPMetadata(xml).get();
         }
 
+        @RequirePOST
         public FormValidation doCheckPeriod(@QueryParameter("period") String period) {
             return SamlFormValidation.checkIntegerFormat(period);
         }
 
+        @RequirePOST
         public FormValidation doCheckXml(@QueryParameter("xml") String xml, @QueryParameter("url") String url) {
             if (StringUtils.isBlank(xml) && StringUtils.isBlank(url)) {
                 return FormValidation.error(ERROR_IDP_METADATA_EMPTY);
@@ -212,6 +216,7 @@ public FormValidation doCheckXml(@QueryParameter("xml") String xml, @QueryParame
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter("url") String url) {
             if (StringUtils.isEmpty(url)) {
                 return FormValidation.ok();
@@ -224,6 +229,7 @@ public FormValidation doCheckUrl(@QueryParameter("url") String url) {
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public FormValidation doTestIdpMetadataURL(@QueryParameter("url") String url) {
             URLConnection urlConnection;
             try {

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java
@@ -21,6 +21,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.AbstractDescribableImpl;
@@ -103,19 +104,23 @@ public String getDisplayName() {
         }
 
 
+        @RequirePOST
         public FormValidation doCheckAuthnContextClassRef(@org.kohsuke.stapler.QueryParameter String authnContextClassRef) {
            return SamlFormValidation.checkStringFormat(authnContextClassRef);
         }
 
 
+        @RequirePOST
         public FormValidation doCheckSpEntityId(@org.kohsuke.stapler.QueryParameter String spEntityId) {
             return SamlFormValidation.checkStringFormat(spEntityId);
         }
 
+        @RequirePOST
         public FormValidation doCheckNameIdPolicyFormat(@org.kohsuke.stapler.QueryParameter String nameIdPolicyFormat) {
             return SamlFormValidation.checkStringFormat(nameIdPolicyFormat);
         }
 
+        @RequirePOST
         public FormValidation doCheckMaximumSessionLifetime(@org.kohsuke.stapler.QueryParameter String maximumSessionLifetime) {
             if (StringUtils.isEmpty(maximumSessionLifetime)) {
                 return hudson.util.FormValidation.ok();

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlEncryptionData.java b/src/main/java/org/jenkinsci/plugins/saml/SamlEncryptionData.java
@@ -32,6 +32,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.AbstractDescribableImpl;
@@ -148,22 +149,27 @@ public String getDisplayName() {
             return "Encryption Configuration";
         }
 
+        @RequirePOST
         public FormValidation doCheckKeystorePath(@QueryParameter String keystorePath) {
             return SamlFormValidation.checkStringAttributeFormat(keystorePath, WARN_KEYSTORE_NOT_SET, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckPrivateKeyAlias(@QueryParameter String privateKeyAlias) {
             return SamlFormValidation.checkStringAttributeFormat(privateKeyAlias, WARN_PRIVATE_KEY_ALIAS_NOT_SET, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckKeystorePassword(@QueryParameter String keystorePassword) {
             return SamlFormValidation.checkStringAttributeFormat(keystorePassword, WARN_PRIVATE_KEYSTORE_PASS_NOT_SET, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckPrivateKeyPassword(@QueryParameter String privateKeyPassword) {
             return SamlFormValidation.checkStringAttributeFormat(privateKeyPassword, WARN_PRIVATE_KEY_PASS_NOT_SET, true);
         }
 
+        @RequirePOST
         public FormValidation doTestKeyStore(@QueryParameter("keystorePath") String keystorePath,
                                                          @QueryParameter("keystorePassword") Secret keystorePassword,
                                                          @QueryParameter("privateKeyPassword") Secret privateKeyPassword,

diff --git a/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
@@ -52,7 +52,6 @@
 import org.pac4j.core.exception.http.SeeOtherAction;
 import org.springframework.dao.DataAccessException;
 import org.pac4j.saml.profile.SAML2Profile;
-import org.springframework.dao.DataAccessException;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -252,6 +251,7 @@ public String getLoginUrl() {
      * @return the http response.
      */
     @SuppressWarnings("unused")
+    @RequirePOST
     public HttpResponse doCommenceLogin(final StaplerRequest request, final StaplerResponse response, @QueryParameter
             String from, @Header("Referer") final String referer) {
         LOG.fine("SamlSecurityRealm.doCommenceLogin called. Using consumerServiceUrl " + getSamlPluginConfig().getConsumerServiceUrl());
@@ -596,6 +596,7 @@ static String getSPMetadataFilePath() {
      * @return the http response.
      */
     @SuppressWarnings("unused")
+    @RequirePOST
     public HttpResponse doMetadata(StaplerRequest request, StaplerResponse response) {
         return new SamlSPMetadataWrapper(getSamlPluginConfig(), request, response).get();
     }
@@ -618,6 +619,7 @@ protected String getPostLogOutUrl(StaplerRequest req, @Nonnull Authentication au
     }
 
     @Override
+    @RequirePOST
     public void doLogout(StaplerRequest req, StaplerResponse rsp) throws IOException, javax.servlet.ServletException {
         super.doLogout(req, rsp);
         LOG.log(Level.FINEST, "Here we could do the SAML Single Logout");
@@ -680,26 +682,32 @@ public String getDisplayName() {
             return "SAML 2.0";
         }
 
+        @RequirePOST
         public FormValidation doCheckLogoutUrl(@QueryParameter String logoutUrl) {
             return SamlFormValidation.checkUrlFormat(logoutUrl);
         }
 
+        @RequirePOST
         public FormValidation doCheckDisplayNameAttributeName(@QueryParameter String displayNameAttributeName) {
             return SamlFormValidation.checkStringFormat(displayNameAttributeName);
         }
 
+        @RequirePOST
         public FormValidation doCheckGroupsAttributeName(@QueryParameter String groupsAttributeName) {
             return SamlFormValidation.checkStringAttributeFormat(groupsAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_GROUPS_ATTRIBUTE, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckUsernameAttributeName(@QueryParameter String usernameAttributeName) {
             return SamlFormValidation.checkStringAttributeFormat(usernameAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_USERNAME_ATTRIBUTE, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckEmailAttributeName(@QueryParameter String emailAttributeName) {
             return SamlFormValidation.checkStringAttributeFormat(emailAttributeName, SamlSecurityRealm.WARN_RECOMMENDED_TO_SET_THE_EMAIL_ATTRIBUTE, true);
         }
 
+        @RequirePOST
         public FormValidation doCheckMaximumAuthenticationLifetime(@QueryParameter String maximumAuthenticationLifetime) {
             return SamlFormValidation.checkIntegerFormat(maximumAuthenticationLifetime);
         }