[SECURITY-3498]

daniel-beck · jenkinsci-cert-ci · commit 84ef1a4d4db1 · 2025-02-25T16:17:26.000Z
diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
@@ -4165,6 +4165,7 @@ public synchronized HttpRedirect doCancelQuietDown() {
         return new HttpRedirect(".");
     }
 
+    @POST
     public HttpResponse doToggleCollapse() throws ServletException, IOException {
         final StaplerRequest2 request = Stapler.getCurrentRequest2();
         final String paneId = request.getParameter("paneId");
diff --git a/core/src/main/resources/lib/hudson/executors.jelly b/core/src/main/resources/lib/hudson/executors.jelly
@@ -174,7 +174,9 @@ THE SOFTWARE.
           ${executorDetails}
         </span>
       </j:if>
-      <a class="collapse" href="${rootURL}/toggleCollapse?paneId=executors"
+      <st:adjunct includes="lib.form.link.link"/>
+      <!-- TODO improve l:link so the `a` can be changed to `l:link`. -->
+      <a class="collapse post" href="${rootURL}/toggleCollapse?paneId=executors"
          tooltip="${paneIsCollapsed ? '%Expand' : '%Collapse'}" data-tooltip-append-to-parent="true">
         <j:set var="svgIconId" value="${paneIsCollapsed ? 'chevron-up' : 'chevron-down'}" />
         <l:icon src="symbol-${svgIconId}" />
diff --git a/core/src/main/resources/lib/layout/pane.jelly b/core/src/main/resources/lib/layout/pane.jelly
@@ -59,7 +59,9 @@ THE SOFTWARE.
       </span>
 
       <j:if test="${attrs.id != null}">
-        <a class="collapse" href="${rootURL}/toggleCollapse?paneId=${attrs.id}"
+        <st:adjunct includes="lib.form.link.link"/>
+        <!-- TODO improve l:link so the `a` can be changed to `l:link`. -->
+        <a class="collapse post" href="${rootURL}/toggleCollapse?paneId=${attrs.id}"
            title="${paneIsCollapsed ? '%expand' : '%collapse'}">
 
           <j:set var="svgIconId" value="${paneIsCollapsed ? 'chevron-up' : 'chevron-down'}" />
diff --git a/test/src/test/java/hudson/model/ComputerSetTest.java b/test/src/test/java/hudson/model/ComputerSetTest.java
@@ -173,7 +173,7 @@ public void testTerminatedNodeAjaxExecutorsDoesNotShowTrace() throws Exception {
                 new OfflineCause.ChannelTermination(new RuntimeException(message))
         );
 
-        WebClient wc = j.createWebClient();
+        WebClient wc = j.createWebClient().withJavaScriptEnabled(false);
         Page page = wc.getPage(wc.createCrumbedUrl(HasWidgetHelper.getWidget(j.jenkins.getComputer(), ExecutorsWidget.class).orElseThrow().getUrl() + "ajax"));
         String content = page.getWebResponse().getContentAsString();
         assertThat(content, not(containsString(message)));
diff --git a/test/src/test/java/hudson/model/ComputerTest.java b/test/src/test/java/hudson/model/ComputerTest.java
@@ -285,7 +285,7 @@ public void testTerminatedNodeAjaxExecutorsDoesNotShowTrace() throws Exception {
                 new OfflineCause.ChannelTermination(new RuntimeException(message))
         );
 
-        WebClient wc = j.createWebClient();
+        WebClient wc = j.createWebClient().withJavaScriptEnabled(false);
         Page page = wc.getPage(wc.createCrumbedUrl(HasWidgetHelper.getWidget(agent.toComputer(), ExecutorsWidget.class).orElseThrow().getUrl() + "ajax"));
         String content = page.getWebResponse().getContentAsString();
         assertThat(content, not(containsString(message)));
diff --git a/test/src/test/java/jenkins/model/JenkinsTest.java b/test/src/test/java/jenkins/model/JenkinsTest.java
@@ -72,6 +72,7 @@
 import hudson.util.FormValidation;
 import hudson.util.HttpResponses;
 import hudson.util.VersionNumber;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.File;
 import java.io.IOException;
 import java.net.HttpURLConnection;
@@ -130,6 +131,16 @@ public class JenkinsTest {
     @Rule
     public TemporaryFolder tmp = new TemporaryFolder();
 
+    @Test
+    @Issue("SECURITY-3498")
+    public void testPaneToggleCollapse() throws Exception {
+        try (WebClient wc = j.createWebClient()) {
+            final FailingHttpStatusCodeException ex = assertThrows(FailingHttpStatusCodeException.class, () -> wc.goTo("toggleCollapse?paneId=foo"));
+            // @POST responds 404 when the verb is wrong; @RequirePOST would respond 405.
+            assertThat(ex.getStatusCode(), is(HttpServletResponse.SC_NOT_FOUND));
+        }
+    }
+
     @Test
     @Issue("SECURITY-3073")
     public void verifyUploadedFingerprintFilePermission() throws Exception {
diff --git a/test/src/test/java/lib/layout/AjaxTest.java b/test/src/test/java/lib/layout/AjaxTest.java
@@ -61,7 +61,7 @@ public class AjaxTest {
     @Test
     @Issue("JENKINS-65288")
     public void ajaxPageRenderingPossibleWithoutJellyTrace() throws Exception {
-        JenkinsRule.WebClient wc = r.createWebClient();
+        JenkinsRule.WebClient wc = r.createWebClient().withJavaScriptEnabled(false);
         HtmlPage htmlPage = wc.goTo(getExecutorsWidgetAjaxViewUrl());
         r.assertGoodStatus(htmlPage);
     }
@@ -76,7 +76,7 @@ public void ajaxPageRenderingPossibleWithJellyTrace() throws Exception {
         try {
             JellyFacet.TRACE = true;
 
-            JenkinsRule.WebClient wc = r.createWebClient();
+            JenkinsRule.WebClient wc = r.createWebClient().withJavaScriptEnabled(false);
             HtmlPage htmlPage = wc.goTo(getExecutorsWidgetAjaxViewUrl());
             r.assertGoodStatus(htmlPage);
         } finally {

Original file line number	Diff line number	Diff line change
`@@ -4165,6 +4165,7 @@ public synchronized HttpRedirect doCancelQuietDown() {`
`4165`	`4165`	`return new HttpRedirect(".");`
`4166`	`4166`	`}`
`4167`	`4167`
	`4168`	`+ @POST`
`4168`	`4169`	`public HttpResponse doToggleCollapse() throws ServletException, IOException {`
`4169`	`4170`	`final StaplerRequest2 request = Stapler.getCurrentRequest2();`
`4170`	`4171`	`final String paneId = request.getParameter("paneId");`