From e3bfd7839a815d89d3580dcf41745cf2d5cb4b14 Mon Sep 17 00:00:00 2001 From: Julie Heard <55280278+julieheard@users.noreply.github.com> Date: Thu, 18 May 2023 09:04:31 +0100 Subject: [PATCH] SECURITY-3105 and SECURITY 3106 --- .../hudson/plugins/folder/AbstractFolder.java | 2 ++ .../hudson/plugins/folder/Folder.java | 2 ++ .../hudson/plugins/folder/FolderTest.java | 22 +++++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java b/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java index 4311efda..e4f7cb18 100644 --- a/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java +++ b/src/main/java/com/cloudbees/hudson/plugins/folder/AbstractFolder.java @@ -124,6 +124,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.interceptor.RequirePOST; +import org.kohsuke.stapler.verb.POST; /** * A general-purpose {@link ItemGroup}. @@ -834,6 +835,7 @@ public ContextMenu doChildrenContextMenu(StaplerRequest request, StaplerResponse return menu; } + @POST public synchronized void doCreateView(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException, ParseException, Descriptor.FormException { checkPermission(View.CREATE); diff --git a/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java b/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java index 64493e3a..9539ddc0 100644 --- a/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java +++ b/src/main/java/com/cloudbees/hudson/plugins/folder/Folder.java @@ -61,6 +61,7 @@ import org.kohsuke.accmod.restrictions.DoNotUse; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.verb.POST; /** * A mutable folder. @@ -227,6 +228,7 @@ public void onCopiedFrom(Item _src) { } } + @POST public TopLevelItem doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { TopLevelItem nue = mixin.createTopLevelItem(req, rsp); if (!isAllowedChild(nue)) { diff --git a/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java b/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java index 2efe4185..c7f1e35d 100644 --- a/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java +++ b/src/test/java/com/cloudbees/hudson/plugins/folder/FolderTest.java @@ -496,4 +496,26 @@ private HtmlAnchor findRenameAnchor(AbstractItem item) throws Exception { return page.getAnchorByHref(relativeUrl); } + @Issue("SECURITY-3105") + @Test public void doCreateView() throws Exception { + Folder f = createFolder(); + String folderURL = f.getUrl() + "createView?mode=copy&name=NewView&from=All"; + // Create a web client with the option to not throw exceptions on failing status codes - this allows us to catch the status code instead of the test crashing + JenkinsRule.WebClient webClient = r.createWebClient().withThrowExceptionOnFailingStatusCode(false); + // The expected response status code is 404, this means that the requested page is not available + // The request sent is using a GET instead of POST + assertEquals(404, webClient.goTo(folderURL).getWebResponse().getStatusCode()); + } + + @Issue("SECURITY-3106") + @Test public void doCreateItem() throws Exception { + Folder f = createFolder(); + String folderURL = f.getUrl() + "createItem?mode=copy&name=NewFolder&from=" + f.getName(); + // Create a web client with the option to not throw exceptions on failing status codes - this allows us to catch the status code instead of the test crashing + JenkinsRule.WebClient webClient = r.createWebClient().withThrowExceptionOnFailingStatusCode(false); + // The expected response status code of the folder URL is 405, this means that the method is not allowed + // The request sent is using a GET instead of POST request which is not allowed + assertEquals(405, webClient.goTo(folderURL).getWebResponse().getStatusCode()); + } + }