diff options
author | Antoine Vigneau <antoine.vigneau@sonarsource.com> | 2024-06-11 17:44:45 +0200 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2024-06-17 20:02:35 +0000 |
commit | 078306d53ad53ba38d5d4b06e6e8958a0c2c6595 (patch) | |
tree | cd0ac74f560aac0e2a3720b096239d7519f856c0 /server/sonar-webserver-webapi | |
parent | 0bdfddeed0bf06255f61c6b59dcfc6d132598e14 (diff) | |
download | sonarqube-078306d53ad53ba38d5d4b06e6e8958a0c2c6595.tar.gz sonarqube-078306d53ad53ba38d5d4b06e6e8958a0c2c6595.zip |
SONAR-22365 Fix SSF-571
Diffstat (limited to 'server/sonar-webserver-webapi')
-rw-r--r-- | server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java | 23 | ||||
-rw-r--r-- | server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java | 5 |
2 files changed, 27 insertions, 1 deletions
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java index e61fd9d52eb..dfd2961d6b6 100644 --- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java +++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java @@ -69,6 +69,9 @@ import static java.util.Collections.singletonList; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.assertj.core.groups.Tuple.tuple; +import static org.sonar.auth.github.GitHubSettings.GITHUB_API_URL; +import static org.sonar.auth.github.GitHubSettings.GITHUB_WEB_URL; +import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_URL; import static org.sonar.db.property.PropertyTesting.newComponentPropertyDto; import static org.sonar.db.property.PropertyTesting.newGlobalPropertyDto; import static org.sonar.db.user.UserTesting.newUserDto; @@ -1128,6 +1131,26 @@ public class SetActionIT { .hasMessage(format("Setting '%s' can only be used in sonar.properties", settingKey)); } + @DataProvider + public static Object[][] forbiddenProperties() { + return new Object[][] { + {GITLAB_AUTH_URL}, + {GITHUB_API_URL}, + {GITHUB_WEB_URL}, + }; + } + + @Test + @UseDataProvider("forbiddenProperties") + public void fail_when_setting_key_is_forbidden(String property) { + TestRequest testRequest = ws.newRequest() + .setParam("key", property) + .setParam("value", "value"); + assertThatThrownBy(testRequest::execute) + .isInstanceOf(IllegalArgumentException.class) + .hasMessage("For security reasons, the key '%s' cannot be updated using this webservice. Please use the API v2", property); + } + @Test public void fail_when_setting_key_is_forbidden() { TestRequest testRequest = ws.newRequest() diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java index 034a2478dcd..555bf2d4062 100644 --- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java +++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java @@ -57,6 +57,9 @@ import org.sonar.server.user.UserSession; import static com.google.common.base.Preconditions.checkArgument; import static java.lang.String.format; +import static org.sonar.auth.github.GitHubSettings.GITHUB_API_URL; +import static org.sonar.auth.github.GitHubSettings.GITHUB_WEB_URL; +import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_URL; import static org.sonar.server.exceptions.BadRequestException.checkRequest; import static org.sonar.server.setting.ws.SettingsWsParameters.PARAM_COMPONENT; import static org.sonar.server.setting.ws.SettingsWsParameters.PARAM_FIELD_VALUES; @@ -70,7 +73,7 @@ public class SetAction implements SettingsWsAction { private static final String MSG_NO_EMPTY_VALUE = "A non empty value must be provided"; private static final int VALUE_MAXIMUM_LENGTH = 4000; private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() {}; - private static final Set<String> FORBIDDEN_KEYS = Set.of("sonar.auth.gitlab.url"); + private static final Set<String> FORBIDDEN_KEYS = Set.of(GITLAB_AUTH_URL, GITHUB_API_URL, GITHUB_WEB_URL); private final PropertyDefinitions propertyDefinitions; |