fix: Stapler: Missing permission check (#346)

* fix: Stapler: Missing permission check * fix: doIndex does not require POST
jenkinsci · Oct 23, 2022 · 7fd446b · 7fd446b
1 parent fac0f72
commit 7fd446b
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java b/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java
@@ -1296,6 +1296,7 @@ public FormValidation doCheckCredentialsId(@AncestorInPath ItemGroup context,
 
         @RequirePOST
         public FormValidation doCheckPort(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             if (StringUtils.isEmpty(value)) {
                 return FormValidation.error(Messages.SSHLauncher_PortNotSpecified());
             }
@@ -1315,6 +1316,7 @@ public FormValidation doCheckPort(@QueryParameter String value) {
 
         @RequirePOST
         public FormValidation doCheckHost(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             FormValidation ret = FormValidation.ok();
             if (StringUtils.isEmpty(value)) {
                 return FormValidation.error(Messages.SSHLauncher_HostNotSpecified());
@@ -1324,6 +1326,7 @@ public FormValidation doCheckHost(@QueryParameter String value) {
 
         @RequirePOST
         public FormValidation doCheckJavaPath(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             FormValidation ret = FormValidation.ok();
             if (value != null && value.contains(" ")
                 && !(value.startsWith("\"") && value.endsWith("\""))

diff --git a/...main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java b/...main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java
@@ -32,15 +32,18 @@
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 
 import hudson.Extension;
+import hudson.model.Computer;
 import hudson.model.TaskListener;
 import hudson.plugins.sshslaves.Messages;
 import hudson.plugins.sshslaves.SSHLauncher;
 import hudson.slaves.SlaveComputer;
 import hudson.util.FormValidation;
 import java.util.Collections;
+import jenkins.model.Jenkins;
 
 /**
  * Checks a key provided by a remote hosts matches a key specified as being required by the
@@ -116,7 +119,9 @@ public String getDisplayName() {
             return Messages.ManualKeyProvidedHostKeyVerifier_DisplayName();
         }
 
+        @RequirePOST
         public FormValidation doCheckKey(@QueryParameter String key) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             try {
                 ManuallyProvidedKeyVerificationStrategy.parseKey(key);
                 return FormValidation.ok();

diff --git a/src/main/java/hudson/plugins/sshslaves/verifiers/TrustHostKeyAction.java b/src/main/java/hudson/plugins/sshslaves/verifiers/TrustHostKeyAction.java
@@ -131,4 +131,4 @@ public String getUrlName() {
         }
         return actionPath;
     }
-}
+}