[SECURITY-3040]

Author: rsandell

README.md

@@ -468,6 +468,8 @@ These traits can be selected by selecting `Add` in the `Behaviours` section.
 
 * `Discover group/subgroup projects` - Discover subgroup projects inside a group/subgroup. Only applicable to `GitLab Group` Job type whose owner is a `Group`/`Subgroup` but not `User`.
 
+* `Discover shared projects` - Discover projects that are shared with the configured owner group from another group. Up until version 684 of the plugin this used to be the default behavior but is now a separate trait that is not added by default due to potential security concerns.
+
 * `Log build status as comment on GitLab` - Enable logging build status as comment on GitLab. A comment is logged on the commit or merge request once the build is completed. You can decide if you want to log success builds or not. You can also use sudo user to comment the build status as commment e.g. `jenkinsadmin` or something similar.
 
 * `Trigger build on merge request comment` - Enable trigger a rebuild of a merge request by comment with your desired comment body (default: `jenkins rebuild`). The job can only be triggered by trusted members of the project i.e. users with Developer/Maintainer/Owner accesslevel (also includes inherited from ancestor groups). By default only trusted members of project can trigger MR.

pom.xml

@@ -34,6 +34,7 @@
     <jenkins.version>2.387.3</jenkins.version>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <spotless.check.skip>false</spotless.check.skip>
+    <hpi.compatibleSinceVersion>685</hpi.compatibleSinceVersion>
   </properties>
 
   <dependencyManagement>

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMNavigator.java

@@ -244,6 +244,7 @@ public void visitSources(@NonNull final SCMSourceObserver observer) throws IOExc
                 GroupProjectsFilter groupProjectsFilter = new GroupProjectsFilter();
                 wantSubGroupProjects = request.wantSubgroupProjects();
                 groupProjectsFilter.withIncludeSubGroups(wantSubGroupProjects);
+                groupProjectsFilter.withShared(request.wantSharedProjects());
                 // If projectOwner is a subgroup, it will only return projects in the subgroup
                 projects = gitLabApi.getGroupApi().getProjects(projectOwner, groupProjectsFilter);
             }

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMNavigatorContext.java

@@ -10,6 +10,8 @@ public class GitLabSCMNavigatorContext
 
     private boolean wantSubgroupProjects;
 
+    private boolean wantSharedProjects;
+
     private int projectNamingStrategy = 1;
 
     /** If true, archived repositories will be ignored. */
@@ -33,6 +35,15 @@ public GitLabSCMNavigatorContext wantSubgroupProjects(boolean include) {
         return this;
     }
 
+    public boolean wantSharedProjects() {
+        return wantSharedProjects;
+    }
+
+    public GitLabSCMNavigatorContext wantSharedProjects(boolean include) {
+        this.wantSharedProjects = include;
+        return this;
+    }
+
     /**
      * Returns the project naming strategy id.
      *

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMNavigatorRequest.java

@@ -7,6 +7,7 @@
 
 public class GitLabSCMNavigatorRequest extends SCMNavigatorRequest {
 
+    private final boolean wantSharedProjects;
     private boolean wantSubgroupProjects;
 
     private int projectNamingStrategy;
@@ -17,6 +18,7 @@ protected GitLabSCMNavigatorRequest(
             @NonNull SCMSourceObserver observer) {
         super(source, context, observer);
         wantSubgroupProjects = context.wantSubgroupProjects();
+        wantSharedProjects = context.wantSharedProjects();
         projectNamingStrategy = context.withProjectNamingStrategy();
     }
 
@@ -27,6 +29,14 @@ public boolean wantSubgroupProjects() {
         return wantSubgroupProjects;
     }
 
+    /**
+     *
+     * @return wether to include projects that are shared with the group from other groups.
+     */
+    public boolean wantSharedProjects() {
+        return wantSharedProjects;
+    }
+
     /**
      * Returns the project naming strategy id.
      *

src/main/java/io/jenkins/plugins/gitlabbranchsource/SharedProjectsDiscoveryTrait.java

@@ -0,0 +1,48 @@
+package io.jenkins.plugins.gitlabbranchsource;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import jenkins.scm.api.SCMNavigator;
+import jenkins.scm.api.trait.SCMNavigatorContext;
+import jenkins.scm.api.trait.SCMNavigatorTrait;
+import jenkins.scm.api.trait.SCMNavigatorTraitDescriptor;
+import jenkins.scm.impl.trait.Discovery;
+import org.jenkinsci.Symbol;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+public class SharedProjectsDiscoveryTrait extends SCMNavigatorTrait {
+
+    @DataBoundConstructor
+    public SharedProjectsDiscoveryTrait() {}
+
+    @Override
+    protected void decorateContext(SCMNavigatorContext<?, ?> context) {
+        if (context instanceof GitLabSCMNavigatorContext) {
+            GitLabSCMNavigatorContext ctx = (GitLabSCMNavigatorContext) context;
+            ctx.wantSharedProjects(true);
+        }
+    }
+
+    /**
+     * Our descriptor.
+     */
+    @Symbol("gitLabSharedProjectsDiscovery")
+    @Extension
+    @Discovery
+    public static class DescriptorImpl extends SCMNavigatorTraitDescriptor {
+
+        /**
+         * {@inheritDoc}
+         */
+        @Override
+        @NonNull
+        public String getDisplayName() {
+            return Messages.SharedProjectsDiscoveryTrait_displayName();
+        }
+
+        @Override
+        public Class<? extends SCMNavigator> getNavigatorClass() {
+            return GitLabSCMNavigator.class;
+        }
+    }
+}

src/main/resources/io/jenkins/plugins/gitlabbranchsource/Messages.properties

@@ -22,6 +22,7 @@ ProjectNamingStrategyTrait.contextualProjectPath=Contextual Project Path
 ProjectNamingStrategyTrait.simpleProjectPath=Simple Project Path
 ProjectNamingStrategyTrait.projectName=Project Name
 SubGroupProjectDiscoveryTrait.displayName=Discover subgroup projects
+SharedProjectsDiscoveryTrait.displayName=Discover shared projects
 TagDiscoveryTrait.authorityDisplayName=Trust origin tags
 TagDiscoveryTrait.displayName=Discover tags
 GitLabSCMSource.TagCategory=Tags

src/main/resources/io/jenkins/plugins/gitlabbranchsource/SharedProjectsDiscoveryTrait/help.html

@@ -0,0 +1,9 @@
+<p>
+  Discovers all shared projects for an owner (Group/Subgroup) but not User.
+</p>
+<p>
+  <strong>NOTE</strong> this trait used to be enabled by default,
+  but it is potentially dangerous to allow repositories that are controlled by another group
+  to execute on the Jenkins controller/folder.
+  So the default behavior was changed and this trait is now optional.
+</p>

src/main/resources/io/jenkins/plugins/gitlabbranchsource/SubGroupProjectDiscoveryTrait/help.html

@@ -1,3 +1,3 @@
 <div>
-  Discovers all subgroup projects for a owner (Group/Subgroup) but not User.
+  Discovers all subgroup projects for an owner (Group/Subgroup) but not User.
 </div>