[SECURITY-2075] [SECURITY-2076] [SECURITY-2698]

daniel-beck · daniel-beck · commit 882a7d359f6a · 2022-04-07T08:44:39.000+02:00
diff --git a/src/main/java/hudson/scm/SubversionSCM.java b/src/main/java/hudson/scm/SubversionSCM.java
@@ -168,6 +168,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.verb.POST;
 import org.tmatesoft.svn.core.*;
 import org.tmatesoft.svn.core.auth.*;
 import org.tmatesoft.svn.core.internal.io.dav.DAVRepositoryFactory;
@@ -2279,6 +2280,7 @@ public ISVNAuthenticationProvider createAuthenticationProvider() {
          * Submits the authentication info.
          */
         // TODO: stapler should do multipart/form-data handling
+        @POST
         public void doPostCredential(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
             Jenkins.getInstance().checkPermission(Item.CONFIGURE);
 
@@ -2345,6 +2347,7 @@ public void postCredential(String url, final UserProvidedCredential upc, PrintWr
          */
         @CheckForNull
         @Deprecated
+        @RequirePOST
         public FormValidation doCheckRemote(StaplerRequest req, @AncestorInPath AbstractProject context, @QueryParameter String value, @QueryParameter String credentialsId) {
             Jenkins instance = Jenkins.getInstance();
             if (instance != null) {
@@ -2528,6 +2531,7 @@ public FormValidation doCheckExcludedCommitMessages(@QueryParameter String value
         /**
          * Validates the remote server supports custom revision properties
          */
+        @RequirePOST
         public FormValidation doCheckRevisionPropertiesSupported(@AncestorInPath Item context,
                                                                  @QueryParameter String value,
                                                                  @QueryParameter String credentialsId,
@@ -3191,6 +3195,7 @@ public ListBoxModel fillCredentialsIdItems(@CheckForNull Item context, String re
             /**
              * Validate the value for a remote (repository) location.
              */
+            @RequirePOST
             public FormValidation doCheckRemote(/* TODO unused, delete */StaplerRequest req, @AncestorInPath Item context,
                     @QueryParameter String remote) {
 
diff --git a/src/main/java/hudson/scm/SubversionTagAction.java b/src/main/java/hudson/scm/SubversionTagAction.java
@@ -55,6 +55,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.verb.POST;
 import org.tmatesoft.svn.core.SVNException;
 import org.tmatesoft.svn.core.SVNURL;
 import org.tmatesoft.svn.core.auth.ISVNAuthenticationManager;
@@ -212,6 +213,7 @@ public String makeTagURL(SvnInfo si) {
     /**
      * Invoked to actually tag the workspace.
      */
+    @POST
     public synchronized void doSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
         getACL().checkPermission(getPermission());
 
diff --git a/src/main/java/hudson/scm/browsers/FishEyeSVN.java b/src/main/java/hudson/scm/browsers/FishEyeSVN.java
@@ -41,6 +41,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.regex.Pattern;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * {@link RepositoryBrowser} for FishEye SVN.
@@ -130,6 +131,7 @@ public String getDisplayName() {
         /**
          * Performs on-the-fly validation of the URL.
          */
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty=true) String value) throws IOException, ServletException {
             if(value==null) // nothing entered yet
                 return FormValidation.ok();
diff --git a/src/main/java/hudson/scm/browsers/Sventon.java b/src/main/java/hudson/scm/browsers/Sventon.java
@@ -42,6 +42,7 @@
 import java.net.URL;
 import java.net.URLEncoder;
 import jenkins.model.Jenkins;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * {@link RepositoryBrowser} for Sventon 1.x.
@@ -97,6 +98,7 @@ public String getDisplayName() {
         /**
          * Performs on-the-fly validation of the URL.
          */
+        @RequirePOST
         public FormValidation doCheckUrl(@AncestorInPath Item project,
                                          @QueryParameter(fixEmpty=true) final String value)
                 throws IOException, ServletException {
diff --git a/src/main/java/hudson/scm/browsers/Sventon2.java b/src/main/java/hudson/scm/browsers/Sventon2.java
@@ -43,6 +43,7 @@
 import java.net.URL;
 import java.net.URLEncoder;
 import jenkins.model.Jenkins;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * {@link RepositoryBrowser} for Sventon 2.x.
@@ -117,6 +118,7 @@ public String getDisplayName() {
         /**
          * Performs on-the-fly validation of the URL.
          */
+        @RequirePOST
         public FormValidation doCheckUrl(@AncestorInPath Item project,
                                          @QueryParameter(fixEmpty=true) final String value)
                 throws IOException, ServletException {
diff --git a/src/main/java/hudson/scm/listtagsparameter/ListSubversionTagsParameterDefinition.java b/src/main/java/hudson/scm/listtagsparameter/ListSubversionTagsParameterDefinition.java
@@ -378,6 +378,7 @@ public ISVNAuthenticationProvider createAuthenticationProvider(AbstractProject c
     }
 
     @CheckForNull
+    @RequirePOST
     public FormValidation doCheckTagsDir(StaplerRequest req, @AncestorInPath Item context, @QueryParameter String value) {
         Jenkins instance = Jenkins.getInstance();
         if (instance != null) {
diff --git a/src/main/resources/hudson/scm/SubversionSCM/ModuleLocation/config.jelly b/src/main/resources/hudson/scm/SubversionSCM/ModuleLocation/config.jelly
@@ -25,7 +25,7 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:c="/lib/credentials">
   <f:entry title="${%Repository URL}" field="remote" help="/scm/SubversionSCM/url-help">
-    <f:textbox id="svn.remote.loc" onchange="{ /* workaround for JENKINS-19124 */
+    <f:textbox checkMethod="post" id="svn.remote.loc" onchange="{ /* workaround for JENKINS-19124 */
             var self=this.targetElement ? this.targetElement : this;
             var r=findNextFormItem(self,'credentialsId');
             r.onchange(r);
diff --git a/src/main/resources/hudson/scm/SubversionSCM/config.jelly b/src/main/resources/hudson/scm/SubversionSCM/config.jelly
@@ -57,7 +57,7 @@ THE SOFTWARE.
         <f:textarea />
     </f:entry>
     <f:entry title="${%Exclusion revprop name}" field="excludedRevprop">
-        <f:textbox checkUrl="'descriptorByName/hudson.scm.SubversionSCM/checkRevisionPropertiesSupported?value='+toValue(document.getElementById('svn.remote.loc'))+'&amp;credentialsId='+toValue(document.getElementById('svn.remote.cred'))+'&amp;excludedRevprop='+toValue(this)"/>
+        <f:textbox checkMethod="post" checkUrl="'descriptorByName/hudson.scm.SubversionSCM/checkRevisionPropertiesSupported?value='+toValue(document.getElementById('svn.remote.loc'))+'&amp;credentialsId='+toValue(document.getElementById('svn.remote.cred'))+'&amp;excludedRevprop='+toValue(this)"/>
     </f:entry>
     <f:entry title="${%Filter changelog}" field="filterChangelog">
         <f:checkbox />
diff --git a/src/main/resources/hudson/scm/browsers/AbstractSventon/config.jelly b/src/main/resources/hudson/scm/browsers/AbstractSventon/config.jelly
@@ -25,7 +25,7 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry title="${%URL}" field="url">
-    <f:textbox />
+    <f:textbox checkMethod="post" />
   </f:entry>
   <f:entry title="${%Repository Instance}" field="repositoryInstance">
     <f:textbox />
diff --git a/src/main/resources/hudson/scm/browsers/FishEyeSVN/config.jelly b/src/main/resources/hudson/scm/browsers/FishEyeSVN/config.jelly
@@ -25,7 +25,7 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry title="${%URL}" field="url">
-    <f:textbox />
+    <f:textbox checkMethod="post" />
   </f:entry>
   <f:entry title="${%Root module}" field="rootModule">
     <f:textbox />
diff --git a/src/main/resources/hudson/scm/listtagsparameter/ListSubversionTagsParameterDefinition/index.jelly b/src/main/resources/hudson/scm/listtagsparameter/ListSubversionTagsParameterDefinition/index.jelly
@@ -25,7 +25,8 @@
 <!-- this is the page fragment displayed when triggering a new build -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
-  <f:entry title="${it.name}" description="${it.description}">
+  <j:set var="escapeEntryTitleAndDescription" value="false"/>
+  <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
     <!-- this div is required because of ParametersDefinitionProperty.java#117 -->
     <div name="parameter">
       <st:adjunct includes="lib.form.select.select"/>
diff --git a/src/test/java/hudson/scm/SubversionSCMTest.java b/src/test/java/hudson/scm/SubversionSCMTest.java
@@ -138,18 +138,37 @@ public void taggingPermission() throws Exception {
         } catch (ElementNotFoundException e) {
         }
 
-        // and that tagging would fail
+        // and that tagging would fail due to CSRF protection
         try {
             wc.getPage(b,"tagBuild/submit?name0=test&Submit=Tag");
-            fail("should have been denied");
+            fail("should have failed");
+        } catch (FailingHttpStatusCodeException e) {
+            // not found, wrong HTTP verb
+            assertEquals(e.getResponse().getStatusCode(),404);
+        }
+
+        // Now try with POST and crumb
+        try {
+            wc.getPage(new WebRequest(wc.createCrumbedUrl(b.getUrl() + "tagBuild/submit?name0=test&Submit=Tag"), HttpMethod.POST));
         } catch (FailingHttpStatusCodeException e) {
             // make sure the request is denied
             assertEquals(e.getResponse().getStatusCode(),403);
         }
 
-        // now login as alice and make sure that the tagging would succeed
+        // now login as alice
         wc = r.createWebClient();
         wc.login("alice","alice");
+
+        // a quick detour to confirm CSRF protection is effective
+        try {
+            wc.getPage(b,"tagBuild/submit?name0=test&Submit=Tag");
+            fail("should have failed");
+        } catch (FailingHttpStatusCodeException e) {
+            // not found, wrong HTTP verb
+            assertEquals(e.getResponse().getStatusCode(),404);
+        }
+
+        // make sure that the tagging would succeed
         html = wc.getPage(b,"tagBuild/");
         HtmlForm form = html.getFormByName("tag");
         r.submit(form);

Original file line number	Diff line number	Diff line change
`@@ -378,6 +378,7 @@ public ISVNAuthenticationProvider createAuthenticationProvider(AbstractProject c`
`378`	`378`	`}`
`379`	`379`
`380`	`380`	`@CheckForNull`
	`381`	`+ @RequirePOST`
`381`	`382`	`public FormValidation doCheckTagsDir(StaplerRequest req, @AncestorInPath Item context, @QueryParameter String value) {`
`382`	`383`	`Jenkins instance = Jenkins.getInstance();`
`383`	`384`	`if (instance != null) {`