fix: Stapler: Missing permission check (#346)

kuisathaverat · web-flow · commit 7fd446b337c9 · 2022-10-23T21:14:09.000+02:00
* fix: Stapler: Missing permission check

* fix: doIndex does not require POST
diff --git a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java b/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java
@@ -1296,6 +1296,7 @@ public FormValidation doCheckCredentialsId(@AncestorInPath ItemGroup context,
 
         @RequirePOST
         public FormValidation doCheckPort(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             if (StringUtils.isEmpty(value)) {
                 return FormValidation.error(Messages.SSHLauncher_PortNotSpecified());
             }
@@ -1315,6 +1316,7 @@ public FormValidation doCheckPort(@QueryParameter String value) {
 
         @RequirePOST
         public FormValidation doCheckHost(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             FormValidation ret = FormValidation.ok();
             if (StringUtils.isEmpty(value)) {
                 return FormValidation.error(Messages.SSHLauncher_HostNotSpecified());
@@ -1324,6 +1326,7 @@ public FormValidation doCheckHost(@QueryParameter String value) {
 
         @RequirePOST
         public FormValidation doCheckJavaPath(@QueryParameter String value) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             FormValidation ret = FormValidation.ok();
             if (value != null && value.contains(" ")
                 && !(value.startsWith("\"") && value.endsWith("\""))
diff --git a/src/main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java b/src/main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java
@@ -32,15 +32,18 @@
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 
 import hudson.Extension;
+import hudson.model.Computer;
 import hudson.model.TaskListener;
 import hudson.plugins.sshslaves.Messages;
 import hudson.plugins.sshslaves.SSHLauncher;
 import hudson.slaves.SlaveComputer;
 import hudson.util.FormValidation;
 import java.util.Collections;
+import jenkins.model.Jenkins;
 
 /**
  * Checks a key provided by a remote hosts matches a key specified as being required by the
@@ -116,7 +119,9 @@ public String getDisplayName() {
             return Messages.ManualKeyProvidedHostKeyVerifier_DisplayName();
         }
 
+        @RequirePOST
         public FormValidation doCheckKey(@QueryParameter String key) {
+            Jenkins.get().checkPermission(Computer.CONFIGURE);
             try {
                 ManuallyProvidedKeyVerificationStrategy.parseKey(key);
                 return FormValidation.ok();
diff --git a/src/main/java/hudson/plugins/sshslaves/verifiers/TrustHostKeyAction.java b/src/main/java/hudson/plugins/sshslaves/verifiers/TrustHostKeyAction.java
@@ -131,4 +131,4 @@ public String getUrlName() {
         }
         return actionPath;
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -131,4 +131,4 @@ public String getUrlName() {`
`131`	`131`	`}`
`132`	`132`	`return actionPath;`
`133`	`133`	`}`
`134`		`-}`
	`134`	`+}`