SECURITY-3105 and SECURITY 3106

jenkinsci · Aug 4, 2023 · e3bfd78 · e3bfd78
1 parent 6a3fb43
commit e3bfd78
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java b/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java
@@ -124,6 +124,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 /**
  * A general-purpose {@link ItemGroup}.
@@ -834,6 +835,7 @@ public ContextMenu doChildrenContextMenu(StaplerRequest request, StaplerResponse
         return menu;
     }
 
+    @POST
     public synchronized void doCreateView(StaplerRequest req, StaplerResponse rsp)
             throws IOException, ServletException, ParseException, Descriptor.FormException {
         checkPermission(View.CREATE);

diff --git a/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java b/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java
@@ -61,6 +61,7 @@
 import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 /**
  * A mutable folder.
@@ -227,6 +228,7 @@ public void onCopiedFrom(Item _src) {
         }
     }
 
+    @POST
     public TopLevelItem doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
         TopLevelItem nue = mixin.createTopLevelItem(req, rsp);
         if (!isAllowedChild(nue)) {

diff --git a/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java b/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java
@@ -496,4 +496,26 @@ private HtmlAnchor findRenameAnchor(AbstractItem item) throws Exception {
         return page.getAnchorByHref(relativeUrl);
     }
 
+    @Issue("SECURITY-3105")
+    @Test public void doCreateView() throws Exception {
+        Folder f = createFolder();
+        String folderURL = f.getUrl() + "createView?mode=copy&name=NewView&from=All";
+        // Create a web client with the option to not throw exceptions on failing status codes - this allows us to catch the status code instead of the test crashing
+        JenkinsRule.WebClient webClient = r.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+        // The expected response status code is 404, this means that the requested page is not available
+        // The request sent is using a GET instead of POST
+        assertEquals(404, webClient.goTo(folderURL).getWebResponse().getStatusCode());
+    }
+
+    @Issue("SECURITY-3106")
+    @Test public void doCreateItem() throws Exception {
+        Folder f = createFolder();
+        String folderURL = f.getUrl() + "createItem?mode=copy&name=NewFolder&from=" + f.getName();
+        // Create a web client with the option to not throw exceptions on failing status codes - this allows us to catch the status code instead of the test crashing
+        JenkinsRule.WebClient webClient = r.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+        // The expected response status code of the folder URL is 405, this means that the method is not allowed
+        // The request sent is using a GET instead of POST request which is not allowed
+        assertEquals(405, webClient.goTo(folderURL).getWebResponse().getStatusCode());
+    }
+
 }