From c2e5ad99da6de4b9152ae0691f112145358a5666 Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Thu, 17 Feb 2022 13:35:25 +1000 Subject: [PATCH 1/3] [SECURITY-2290] check permission as well Signed-off-by: Olivier Lamy --- .../descriptor/BapSshCredentialsDescriptor.java | 1 + .../descriptor/BapSshHostConfigurationDescriptor.java | 4 ++++ .../descriptor/BapSshPublisherPluginDescriptor.java | 1 + 3 files changed, 6 insertions(+) diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java index 8acdd6ca..0f5830dd 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java @@ -72,6 +72,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username, @QueryParameter final String encryptedPassphrase, @QueryParameter final String key, @QueryParameter final String keyPath) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); final BapSshCredentials credentials = new BapSshCredentials(username, encryptedPassphrase, key, keyPath); final BPBuildInfo buildInfo = BapSshPublisherPluginDescriptor.createDummyBuildInfo(); buildInfo.put(BPBuildInfo.OVERRIDE_CREDENTIALS_CONTEXT_KEY, credentials); diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java index 4a937b08..abca20fe 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java @@ -81,12 +81,16 @@ public FormValidation doCheckTimeout(@QueryParameter final String value) { return FormValidation.validateNonNegativeInteger(value); } + @RequirePOST public FormValidation doCheckKeyPath(@QueryParameter final String value) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER)); return BPValidators.validateFileOnMaster(value); } @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + final BapSshPublisherPlugin.Descriptor pluginDescriptor; Jenkins j = Jenkins.getInstanceOrNull(); if(j != null) { diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java index 0581a809..bced56e1 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java @@ -193,6 +193,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER);); final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common.")); return validateConnection(hostConfig, createDummyBuildInfo()); From afaac21033358b44d229ed60c84dff509455c24c Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Mon, 21 Feb 2022 18:10:41 +1000 Subject: [PATCH 2/3] Update src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java Co-authored-by: Kevin Guerroudj <91883215+Kevin-CB@users.noreply.github.com> --- .../descriptor/BapSshPublisherPluginDescriptor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java index bced56e1..40884375 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java @@ -193,7 +193,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { - Jenkins.get().checkPermission(Jenkins.ADMINISTER);); + Jenkins.get().checkPermission(Jenkins.ADMINISTER); final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common.")); return validateConnection(hostConfig, createDummyBuildInfo()); From 1dc2f2678e50b9c4872dd262b64056b4ddbb2491 Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Mon, 21 Feb 2022 18:10:49 +1000 Subject: [PATCH 3/3] Update src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java Co-authored-by: Kevin Guerroudj <91883215+Kevin-CB@users.noreply.github.com> --- .../descriptor/BapSshHostConfigurationDescriptor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java index abca20fe..18b7df33 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java @@ -83,7 +83,7 @@ public FormValidation doCheckTimeout(@QueryParameter final String value) { @RequirePOST public FormValidation doCheckKeyPath(@QueryParameter final String value) { - Jenkins.get().checkPermission(Jenkins.ADMINISTER)); + Jenkins.get().checkPermission(Jenkins.ADMINISTER); return BPValidators.validateFileOnMaster(value); }