Merge pull request #51 from olamy/SECURITY-2290

[SECURITY-2290] add missing @RequirePOST
jenkinsci · Feb 10, 2022 · e5c08ce · e5c08ce
2 parents c27073a + 21bf41a
commit e5c08ce
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java
@@ -37,6 +37,7 @@
 import jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.Stapler;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.IOException;
 
@@ -73,6 +74,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) {
         }
     }
 
+    @RequirePOST
     public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username,
                                            @QueryParameter final String encryptedPassphrase, @QueryParameter final String key,
                                            @QueryParameter final String keyPath) {

diff --git a/...n/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java b/...n/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java
@@ -35,6 +35,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 @Extension
 public class BapSshHostConfigurationDescriptor extends Descriptor<BapSshHostConfiguration> {
@@ -84,6 +85,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) {
         return BPValidators.validateFileOnMaster(value);
     }
 
+    @RequirePOST
     public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) {
         final BapSshPublisherPlugin.Descriptor pluginDescriptor;
         Jenkins j = Jenkins.getInstanceOrNull();

diff --git a/...ain/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java b/...ain/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java
@@ -53,6 +53,7 @@
 import jenkins.plugins.publish_over_ssh.options.SshDefaults;
 import jenkins.plugins.publish_over_ssh.options.SshPluginDefaults;
 import net.sf.json.JSONObject;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 @SuppressWarnings("PMD.TooManyMethods")
 public class BapSshPublisherPluginDescriptor extends BuildStepDescriptor<Publisher> {
@@ -190,6 +191,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom
         return new jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages();
     }
 
+    @RequirePOST
     public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) {
         final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, "");
         hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common."));