From 0699914b185018e44eb03d49a0a3931c7d3bd61d Mon Sep 17 00:00:00 2001
From: Francisco Javier Fernandez Gonzalez <fjfernandez@cloudbees.com>
Date: Thu, 9 Jan 2020 11:14:36 +0100
Subject: [PATCH] [SECURITY-1004]

---
 src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java | 3 +++
 src/main/java/hudson/plugins/ec2/EC2Cloud.java       | 3 +++
 src/main/java/hudson/plugins/ec2/Eucalyptus.java     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java b/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
index 950706c7a..add287a2b 100644
--- a/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
+++ b/src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
@@ -52,6 +52,7 @@
 import com.amazonaws.services.ec2.AmazonEC2;
 import com.amazonaws.services.ec2.model.DescribeRegionsResult;
 import com.amazonaws.services.ec2.model.Region;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * The original implementation of {@link EC2Cloud}.
@@ -197,6 +198,7 @@ URL determineEC2EndpointURL(@Nullable String altEC2Endpoint) throws MalformedURL
             return new URL(altEC2Endpoint);
         }
 
+        @RequirePOST
         public FormValidation doTestConnection(
                 @QueryParameter String region,
                 @QueryParameter boolean useInstanceProfileForCredentials,
@@ -214,6 +216,7 @@ public FormValidation doTestConnection(
             return super.doTestConnection(getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter String region, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
diff --git a/src/main/java/hudson/plugins/ec2/EC2Cloud.java b/src/main/java/hudson/plugins/ec2/EC2Cloud.java
index 06f32924b..9d1842e45 100644
--- a/src/main/java/hudson/plugins/ec2/EC2Cloud.java
+++ b/src/main/java/hudson/plugins/ec2/EC2Cloud.java
@@ -69,6 +69,7 @@
 import hudson.Extension;
 import hudson.model.PeriodicWork;
 import hudson.model.TaskListener;
+import hudson.security.Permission;
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
@@ -918,6 +919,7 @@ public FormValidation doCheckPrivateKey(@QueryParameter String value) throws IOE
 
         protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstanceProfileForCredentials, String credentialsId, String privateKey, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2endpoint);
@@ -944,6 +946,7 @@ protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstancePr
 
         public FormValidation doGenerateKey(StaplerResponse rsp, URL ec2EndpointUrl, boolean useInstanceProfileForCredentials, String credentialsId, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2EndpointUrl);
diff --git a/src/main/java/hudson/plugins/ec2/Eucalyptus.java b/src/main/java/hudson/plugins/ec2/Eucalyptus.java
index e6bc0d0fd..a4d1b1ed3 100644
--- a/src/main/java/hudson/plugins/ec2/Eucalyptus.java
+++ b/src/main/java/hudson/plugins/ec2/Eucalyptus.java
@@ -35,6 +35,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Eucalyptus.
@@ -71,12 +72,14 @@ public String getDisplayName() {
         }
 
         @Override
+        @RequirePOST
         public FormValidation doTestConnection(@QueryParameter URL ec2endpoint, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String privateKey, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doTestConnection(ec2endpoint, useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
         @Override
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter URL url, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, url, useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);