[SECURITY-3251]

rsandell · rsandell · commit 5fa356ee8520 · 2024-01-09T17:15:54.000+01:00
diff --git a/src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java b/src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
@@ -54,6 +54,7 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 /**
  * Represents a GitLab Server instance.
@@ -504,6 +505,7 @@ public static class DescriptorImpl extends Descriptor<GitLabServer> {
          * @param serverUrl the URL to check.
          * @return the validation results.
          */
+        @POST
         public static FormValidation doCheckServerUrl(@QueryParameter String serverUrl) {
             Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
diff --git a/src/main/resources/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer/config.groovy b/src/main/resources/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer/config.groovy
@@ -13,7 +13,7 @@ f.entry(title: _("Display Name"), field: "name", "description": "A unique name f
 }
 
 f.entry(title: _("Server URL"), field: "serverUrl", "description": "The url to the GitLab server") {
-    f.textbox(default: GitLabServer.GITLAB_SERVER_URL)
+    f.textbox(default: GitLabServer.GITLAB_SERVER_URL, checkMethod: 'post')
 }
 
 f.entry(title: _("Credentials"), field: "credentialsId", "description": "The Personal Access Token for GitLab APIs access") {
diff --git a/src/test/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServerTest.java b/src/test/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServerTest.java
@@ -4,10 +4,17 @@
 import static org.hamcrest.CoreMatchers.startsWith;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertEquals;
 
+import java.io.IOException;
+import org.apache.http.HttpStatus;
+import org.htmlunit.html.HtmlPage;
 import org.junit.ClassRule;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.JenkinsRule.WebClient;
+import org.xml.sax.SAXException;
 
 public class GitLabServerTest {
 
@@ -63,4 +70,17 @@ public void testFixEmptyAndTrimFive() throws Exception {
         assertThat(server.getCredentialsId(), is(""));
         assertThat(server.getHooksRootUrl(), nullValue());
     }
+
+    @Test
+    @Issue("SECURITY-3251")
+    public void testGetDoCheckServerUrl() throws IOException, SAXException {
+        try (WebClient wc = j.createWebClient()) {
+            wc.setThrowExceptionOnFailingStatusCode(false);
+            HtmlPage page = wc.goTo(
+                    "descriptorByName/io.jenkins.plugins.gitlabserverconfig.servers.GitLabServer/checkServerUrl?serverUrl=http://attacker.example.com");
+            assertEquals(
+                    HttpStatus.SC_NOT_FOUND,
+                    page.getWebResponse().getStatusCode()); // Should be 405 but Stapler doesn't work that way.
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ f.entry(title: _("Display Name"), field: "name", "description": "A unique name f`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`f.entry(title: _("Server URL"), field: "serverUrl", "description": "The url to the GitLab server") {`
`16`		`- f.textbox(default: GitLabServer.GITLAB_SERVER_URL)`
	`16`	`+ f.textbox(default: GitLabServer.GITLAB_SERVER_URL, checkMethod: 'post')`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`f.entry(title: _("Credentials"), field: "credentialsId", "description": "The Personal Access Token for GitLab APIs access") {`