aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-webserver-webapi
diff options
context:
space:
mode:
authorAntoine Vigneau <antoine.vigneau@sonarsource.com>2024-06-11 17:44:45 +0200
committersonartech <sonartech@sonarsource.com>2024-06-17 20:02:35 +0000
commit078306d53ad53ba38d5d4b06e6e8958a0c2c6595 (patch)
treecd0ac74f560aac0e2a3720b096239d7519f856c0 /server/sonar-webserver-webapi
parent0bdfddeed0bf06255f61c6b59dcfc6d132598e14 (diff)
downloadsonarqube-078306d53ad53ba38d5d4b06e6e8958a0c2c6595.tar.gz
sonarqube-078306d53ad53ba38d5d4b06e6e8958a0c2c6595.zip
SONAR-22365 Fix SSF-571
Diffstat (limited to 'server/sonar-webserver-webapi')
-rw-r--r--server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java23
-rw-r--r--server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java5
2 files changed, 27 insertions, 1 deletions
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
index e61fd9d52eb..dfd2961d6b6 100644
--- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
+++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
@@ -69,6 +69,9 @@ import static java.util.Collections.singletonList;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.assertj.core.groups.Tuple.tuple;
+import static org.sonar.auth.github.GitHubSettings.GITHUB_API_URL;
+import static org.sonar.auth.github.GitHubSettings.GITHUB_WEB_URL;
+import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_URL;
import static org.sonar.db.property.PropertyTesting.newComponentPropertyDto;
import static org.sonar.db.property.PropertyTesting.newGlobalPropertyDto;
import static org.sonar.db.user.UserTesting.newUserDto;
@@ -1128,6 +1131,26 @@ public class SetActionIT {
.hasMessage(format("Setting '%s' can only be used in sonar.properties", settingKey));
}
+ @DataProvider
+ public static Object[][] forbiddenProperties() {
+ return new Object[][] {
+ {GITLAB_AUTH_URL},
+ {GITHUB_API_URL},
+ {GITHUB_WEB_URL},
+ };
+ }
+
+ @Test
+ @UseDataProvider("forbiddenProperties")
+ public void fail_when_setting_key_is_forbidden(String property) {
+ TestRequest testRequest = ws.newRequest()
+ .setParam("key", property)
+ .setParam("value", "value");
+ assertThatThrownBy(testRequest::execute)
+ .isInstanceOf(IllegalArgumentException.class)
+ .hasMessage("For security reasons, the key '%s' cannot be updated using this webservice. Please use the API v2", property);
+ }
+
@Test
public void fail_when_setting_key_is_forbidden() {
TestRequest testRequest = ws.newRequest()
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
index 034a2478dcd..555bf2d4062 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
@@ -57,6 +57,9 @@ import org.sonar.server.user.UserSession;
import static com.google.common.base.Preconditions.checkArgument;
import static java.lang.String.format;
+import static org.sonar.auth.github.GitHubSettings.GITHUB_API_URL;
+import static org.sonar.auth.github.GitHubSettings.GITHUB_WEB_URL;
+import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_URL;
import static org.sonar.server.exceptions.BadRequestException.checkRequest;
import static org.sonar.server.setting.ws.SettingsWsParameters.PARAM_COMPONENT;
import static org.sonar.server.setting.ws.SettingsWsParameters.PARAM_FIELD_VALUES;
@@ -70,7 +73,7 @@ public class SetAction implements SettingsWsAction {
private static final String MSG_NO_EMPTY_VALUE = "A non empty value must be provided";
private static final int VALUE_MAXIMUM_LENGTH = 4000;
private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() {};
- private static final Set<String> FORBIDDEN_KEYS = Set.of("sonar.auth.gitlab.url");
+ private static final Set<String> FORBIDDEN_KEYS = Set.of(GITLAB_AUTH_URL, GITHUB_API_URL, GITHUB_WEB_URL);
private final PropertyDefinitions propertyDefinitions;