From 86aebd3d33526d83d6cbc9aef7fb1f4831fb1805 Mon Sep 17 00:00:00 2001 From: Mathieu Delrocq Date: Thu, 13 Feb 2020 14:04:39 +0100 Subject: [PATCH] SECURITY-1761 --- .../fr/edf/jenkins/plugins/mac/MacHost.groovy | 8 ++------ .../jenkins/plugins/mac/util/FormUtils.groovy | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy b/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy index 0e66ac4..b9c4125 100644 --- a/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy +++ b/src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy @@ -1,5 +1,6 @@ package fr.edf.jenkins.plugins.mac +import org.acegisecurity.AccessDeniedException import org.apache.commons.lang.StringUtils import org.kohsuke.stapler.AncestorInPath import org.kohsuke.stapler.DataBoundConstructor @@ -224,12 +225,7 @@ class MacHost implements Describable { */ @POST public FormValidation doCheckKey(@QueryParameter String key) { - try { - MacHostKeyVerifier.parseKey(key) - return FormValidation.ok() - } catch (MacHostKeyVerifierException|IllegalArgumentException ex) { - return FormValidation.error(ex.getMessage()) - } + return FormUtils.verifyHostKey(key) } } } diff --git a/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy b/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy index e5437b1..d516011 100644 --- a/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy +++ b/src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy @@ -4,6 +4,7 @@ import static com.cloudbees.plugins.credentials.CredentialsMatchers.anyOf import static com.cloudbees.plugins.credentials.CredentialsMatchers.instanceOf import static com.cloudbees.plugins.credentials.domains.URIRequirementBuilder.fromUri +import org.acegisecurity.AccessDeniedException import org.antlr.v4.runtime.misc.NotNull import org.jenkinsci.plugins.plaincredentials.FileCredentials import org.kohsuke.accmod.Restricted @@ -18,6 +19,7 @@ import fr.edf.jenkins.plugins.mac.Messages import fr.edf.jenkins.plugins.mac.ssh.SSHCommand import fr.edf.jenkins.plugins.mac.ssh.connection.SSHGlobalConnectionConfiguration import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifier +import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifierException import hudson.model.Item import hudson.model.ModelObject import hudson.security.ACL @@ -94,6 +96,7 @@ class FormUtils { static FormValidation verifyConnection(final String host, final Integer port, final String credentialsId, final String key, final ModelObject context) { try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) MacHostKeyVerifier verifier = new MacHostKeyVerifier(key) String result = SSHCommand.checkConnection(new SSHGlobalConnectionConfiguration(credentialsId: credentialsId, port: port, context: context, host: host, connectionTimeout: 30, @@ -160,4 +163,20 @@ class FormUtils { fromUri(getUri(Jenkins.get().getRootUrl()).toString()).build(), anyOf(instanceOf(FileCredentials))) } + + /** + * Check the validity of the given key + * @param key + * @return ok if valid, error with exception message if not + */ + @Restricted(NoExternalUse) + static FormValidation verifyHostKey(String key) { + try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) + MacHostKeyVerifier.parseKey(key) + return FormValidation.ok() + } catch (MacHostKeyVerifierException|IllegalArgumentException|AccessDeniedException ex) { + return FormValidation.error(ex.getMessage()) + } + } }