[SECURITY-1004]

jenkinsci · Jan 9, 2020 · 0699914 · 0699914
1 parent 1e3a697
commit 0699914
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java b/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
@@ -52,6 +52,7 @@
 import com.amazonaws.services.ec2.AmazonEC2;
 import com.amazonaws.services.ec2.model.DescribeRegionsResult;
 import com.amazonaws.services.ec2.model.Region;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * The original implementation of {@link EC2Cloud}.
@@ -197,6 +198,7 @@ URL determineEC2EndpointURL(@Nullable String altEC2Endpoint) throws MalformedURL
             return new URL(altEC2Endpoint);
         }
 
+        @RequirePOST
         public FormValidation doTestConnection(
                 @QueryParameter String region,
                 @QueryParameter boolean useInstanceProfileForCredentials,
@@ -214,6 +216,7 @@ public FormValidation doTestConnection(
             return super.doTestConnection(getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter String region, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);

diff --git a/src/main/java/hudson/plugins/ec2/EC2Cloud.java b/src/main/java/hudson/plugins/ec2/EC2Cloud.java
@@ -69,6 +69,7 @@
 import hudson.Extension;
 import hudson.model.PeriodicWork;
 import hudson.model.TaskListener;
+import hudson.security.Permission;
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
@@ -918,6 +919,7 @@ public FormValidation doCheckPrivateKey(@QueryParameter String value) throws IOE
 
         protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstanceProfileForCredentials, String credentialsId, String privateKey, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2endpoint);
@@ -944,6 +946,7 @@ protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstancePr
 
         public FormValidation doGenerateKey(StaplerResponse rsp, URL ec2EndpointUrl, boolean useInstanceProfileForCredentials, String credentialsId, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2EndpointUrl);

diff --git a/src/main/java/hudson/plugins/ec2/Eucalyptus.java b/src/main/java/hudson/plugins/ec2/Eucalyptus.java
@@ -35,6 +35,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Eucalyptus.
@@ -71,12 +72,14 @@ public String getDisplayName() {
         }
 
         @Override
+        @RequirePOST
         public FormValidation doTestConnection(@QueryParameter URL ec2endpoint, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String privateKey, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doTestConnection(ec2endpoint, useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
         @Override
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter URL url, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, url, useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);