Fix codeql violations (#1580)

jenkinsci · Jun 28, 2024 · b90136f · b90136f
1 parent fa95177
commit b90136f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java
@@ -38,6 +38,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * @author <a href="mailto:[email protected]">Nicolas De Loof</a>
@@ -145,6 +146,8 @@ public String getDisplayName() {
             return "Setup Kubernetes CLI (kubectl)";
         }
 
+        @SuppressWarnings("unused") // called by stapler
+        @RequirePOST
         public ListBoxModel doFillCredentialsIdItems(
                 @AncestorInPath Item item, @QueryParameter String serverUrl, @QueryParameter String credentialsId) {
             if (item == null ? !Jenkins.get().hasPermission(Jenkins.MANAGE) : !item.hasPermission(Item.EXTENDED_READ)) {

diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java
@@ -19,9 +19,11 @@
 import hudson.init.Initializer;
 import hudson.model.Descriptor;
 import hudson.model.DescriptorVisibilityFilter;
+import hudson.model.Item;
 import hudson.model.ItemGroup;
 import hudson.model.Label;
 import hudson.security.ACL;
+import hudson.security.AccessControlled;
 import hudson.slaves.Cloud;
 import hudson.slaves.NodeProvisioner;
 import hudson.util.FormApply;
@@ -69,6 +71,7 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.interceptor.RequirePOST;
@@ -951,9 +954,15 @@ public FormValidation doCheckRetentionTimeout(@QueryParameter String value) {
         }
 
         @SuppressWarnings("unused") // used by jelly
+        @RequirePOST
         public FormValidation doCheckDirectConnection(
-                @QueryParameter boolean value, @QueryParameter String jenkinsUrl, @QueryParameter boolean webSocket)
-                throws IOException, ServletException {
+                @AncestorInPath AccessControlled owner,
+                @QueryParameter boolean value,
+                @QueryParameter String jenkinsUrl,
+                @QueryParameter boolean webSocket) {
+            if (!hasPermission(owner)) {
+                return FormValidation.ok();
+            }
             if (!webSocket) {
                 TcpSlaveAgentListener tcpSlaveAgentListener = Jenkins.get().getTcpSlaveAgentListener();
                 if (tcpSlaveAgentListener == null) {
@@ -991,6 +1000,23 @@ public FormValidation doCheckDirectConnection(
             return FormValidation.ok();
         }
 
+        private static boolean hasPermission(AccessControlled owner) {
+            if (owner instanceof Jenkins) {
+                // Regular cloud
+                return owner.hasPermission(Jenkins.ADMINISTER);
+            } else if (owner instanceof Item) {
+                // Shared cloud (CloudBees CI)
+                return owner.hasPermission(Item.CONFIGURE);
+            } else {
+                LOGGER.log(
+                        Level.WARNING,
+                        () -> "Unsupported owner type " + (owner == null ? "null" : owner.getClass()) + " (url: "
+                                + Stapler.getCurrentRequest().getOriginalRequestURI()
+                                + "). Please report this issue to the plugin maintainers.");
+                return false;
+            }
+        }
+
         @SuppressWarnings("unused") // used by jelly
         public FormValidation doCheckJenkinsUrl(@QueryParameter String value, @QueryParameter boolean directConnection)
                 throws IOException, ServletException {
@@ -1002,10 +1028,16 @@ public FormValidation doCheckJenkinsUrl(@QueryParameter String value, @QueryPara
             return FormValidation.ok();
         }
 
+        @SuppressWarnings("unused") // used by jelly
+        @RequirePOST
         public FormValidation doCheckWebSocket(
+                @AncestorInPath AccessControlled owner,
                 @QueryParameter boolean webSocket,
                 @QueryParameter boolean directConnection,
                 @QueryParameter String jenkinsTunnel) {
+            if (!hasPermission(owner)) {
+                return FormValidation.ok();
+            }
             if (webSocket) {
                 if (!WebSockets.isSupported()) {
                     return FormValidation.error("WebSocket support is not enabled in this Jenkins installation");