Skip to content
This repository was archived by the owner on May 28, 2024. It is now read-only.

Commit 1d5e1e9

Browse files
eduard-titaeduard-tita
authored
Add protection from CSRF (#291)
1 parent 8e1fb2a commit 1d5e1e9

File tree

4 files changed

+20
-1
lines changed

4 files changed

+20
-1
lines changed

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@
8585
<enforcer.skip>true</enforcer.skip> <!-- TODO numerous requireUpperBoundDeps, some probably indicative of real problems -->
8686
<jvnet-localizer-plugin.version>1.23</jvnet-localizer-plugin.version>
8787
<forkCount>1</forkCount>
88-
<nexus-platform-api.version>4.3.1-01</nexus-platform-api.version>
88+
<nexus-platform-api.version>4.3.2-01</nexus-platform-api.version>
8989

9090
<buildsupport.version>36</buildsupport.version>
9191
<buildsupport.license-maven-plugin.version>4.1</buildsupport.license-maven-plugin.version>

src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import hudson.util.ListBoxModel
2424
import jenkins.model.Jenkins
2525
import org.kohsuke.stapler.DataBoundConstructor
2626
import org.kohsuke.stapler.QueryParameter
27+
import org.kohsuke.stapler.verb.POST
2728

2829
class NxiqConfiguration
2930
implements Describable<NxiqConfiguration>
@@ -83,7 +84,9 @@ class NxiqConfiguration
8384
Messages.NxiqConfiguration_DisplayName()
8485
}
8586

87+
@POST
8688
FormValidation doCheckDisplayName(@QueryParameter String value, @QueryParameter String internalId) {
89+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
8790
def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
8891
for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
8992
if (config.internalId != internalId && config.displayName == value) {
@@ -93,7 +96,9 @@ class NxiqConfiguration
9396
return FormUtil.validateNotEmpty(value, 'Display Name is required')
9497
}
9598

99+
@POST
96100
FormValidation doCheckId(@QueryParameter String value, @QueryParameter String internalId) {
101+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
97102
def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
98103
for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
99104
if (config.internalId != internalId && config.id == value) {
@@ -108,7 +113,9 @@ class NxiqConfiguration
108113
}
109114

110115
@SuppressWarnings('unused')
116+
@POST
111117
FormValidation doCheckServerUrl(@QueryParameter String value) {
118+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
112119
def validation = FormUtil.validateUrl(value)
113120
if (validation.kind == Kind.OK) {
114121
validation = FormUtil.validateNotEmpty(value, Messages.Configuration_ServerUrlRequired())
@@ -123,10 +130,12 @@ class NxiqConfiguration
123130
}
124131

125132
@SuppressWarnings('unused')
133+
@POST
126134
FormValidation doVerifyCredentials(
127135
@QueryParameter String serverUrl,
128136
@QueryParameter String credentialsId) throws IOException
129137
{
138+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
130139
return IqUtil.verifyJobCredentials(serverUrl, credentialsId, Jenkins.instance)
131140
}
132141
}

src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,10 @@ import org.sonatype.nexus.ci.config.NxrmConfiguration.NxrmDescriptor
1818

1919
import hudson.Extension
2020
import hudson.util.FormValidation
21+
import jenkins.model.Jenkins
2122
import org.kohsuke.stapler.DataBoundConstructor
2223
import org.kohsuke.stapler.QueryParameter
24+
import org.kohsuke.stapler.verb.POST
2325

2426
import static hudson.util.FormValidation.error
2527
import static hudson.util.FormValidation.ok
@@ -58,9 +60,12 @@ class Nxrm2Configuration
5860
}
5961

6062
@Override
63+
@POST
6164
FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
6265
throws IOException
6366
{
67+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
68+
6469
try {
6570
def repositories = getApplicableRepositories(serverUrl, credentialsId)
6671

src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,10 @@ import com.sonatype.nexus.api.exception.RepositoryManagerException
1717
import groovy.util.logging.Log
1818
import hudson.Extension
1919
import hudson.util.FormValidation
20+
import jenkins.model.Jenkins
2021
import org.kohsuke.stapler.DataBoundConstructor
2122
import org.kohsuke.stapler.QueryParameter
23+
import org.kohsuke.stapler.verb.POST
2224

2325
import static hudson.util.FormValidation.error
2426
import static hudson.util.FormValidation.ok
@@ -80,9 +82,12 @@ class Nxrm3Configuration
8082
}
8183

8284
@Override
85+
@POST
8386
FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
8487
throws IOException
8588
{
89+
Jenkins.get().checkPermission(Jenkins.ADMINISTER)
90+
8691
def repositories
8792
def badVersionMsg = ''
8893

0 commit comments

Comments
 (0)