Fix SECURITY-1025

[lacostej]

I hope this fixes SECURITY-1025. Any way to check if there are other paths to protect?

Testing done

Submitter checklist

Preview Give feedback

1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
2. Ensure that the pull request title represents the desired changelog entry
3. Please describe what you did
4. Link to relevant issues in GitHub or Jira
5. Link to relevant pull requests, esp. upstream and downstream changes
6. Ensure you have provided tests - that demonstrates feature works or fixes the issue

[MarkEWaite]

Could anyone please replay this PR build with the updated Jenkinsfile?

Done

[lacostej]

I think I now have handled all cases that needed to be handled.

[yaroslavafenkin]

With addition of these annotations UI buttons seem to be broken.
I've create a dummy freestyle job and added 2 batch tasks to it. Then when I go to JENKINS/job/JOB_NAME/batchTasks/task/TASK_NAME/ and click "Build Now" I get a 404. Same with "Delete Task".

I suspect that culprits are https://github.com/jenkinsci/batch-task-plugin/blob/master/src/main/resources/hudson/plugins/batch_task/BatchTask/sidepanel.jelly#L18 and https://github.com/jenkinsci/batch-task-plugin/blob/master/src/main/resources/hudson/plugins/batch_task/BatchTask/delete.jelly#L9C11-L9C23

For l:task there exists a post attribute, so the fix should be straightforward.

[lacostej]

perfect. Note that I removed the delete.jelly as it does no seem to be used.

I am still able to delete tasks without it.

[yaroslavafenkin]

FYI utility methods exist in jenkins-test-harness that allow you to send post requests already.
See https://github.com/jenkinsci/jenkins/blob/9012a5b35aca298e4cfa23c6ca95242690c232c3/test/src/test/java/hudson/model/ViewTest.java#L264-L267 for example.

[lacostej]

Thanks, I adjusted my helper method.

[yaroslavafenkin]

Works well in local testing.

[yaroslavafenkin]

This is not really needed, no CSRF here.