diff options
author | Antoine Vigneau <antoine.vigneau@sonarsource.com> | 2024-06-08 07:32:41 +0200 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2024-06-13 20:02:33 +0000 |
commit | 3727b06cb2d337f6f9f3d3f4936713b17ec1e564 (patch) | |
tree | bf9f6dfbac5a127bc60b327afa04b2365b26f901 /server/sonar-webserver-webapi | |
parent | f2fdc6787513a65f3d1477b38a1fbac67607d6d9 (diff) | |
download | sonarqube-3727b06cb2d337f6f9f3d3f4936713b17ec1e564.tar.gz sonarqube-3727b06cb2d337f6f9f3d3f4936713b17ec1e564.zip |
SONAR-22363 Fix SSF-572
Diffstat (limited to 'server/sonar-webserver-webapi')
-rw-r--r-- | server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java | 10 | ||||
-rw-r--r-- | server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java | 12 |
2 files changed, 20 insertions, 2 deletions
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java index 314851cca4f..e61fd9d52eb 100644 --- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java +++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java @@ -1129,6 +1129,16 @@ public class SetActionIT { } @Test + public void fail_when_setting_key_is_forbidden() { + TestRequest testRequest = ws.newRequest() + .setParam("key", "sonar.auth.gitlab.url") + .setParam("value", "http://malicious.url"); + assertThatThrownBy(testRequest::execute) + .isInstanceOf(IllegalArgumentException.class) + .hasMessage("For security reasons, the key 'sonar.auth.gitlab.url' cannot be updated using this webservice. Please use the API v2"); + } + + @Test public void definition() { WebService.Action definition = ws.getDef(); diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java index 5a87916e21d..034a2478dcd 100644 --- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java +++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java @@ -69,8 +69,9 @@ public class SetAction implements SettingsWsAction { private static final Collector<CharSequence, ?, String> COMMA_JOINER = Collectors.joining(","); private static final String MSG_NO_EMPTY_VALUE = "A non empty value must be provided"; private static final int VALUE_MAXIMUM_LENGTH = 4000; - private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() { - }; + private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() {}; + private static final Set<String> FORBIDDEN_KEYS = Set.of("sonar.auth.gitlab.url"); + private final PropertyDefinitions propertyDefinitions; private final DbClient dbClient; @@ -138,12 +139,19 @@ public class SetAction implements SettingsWsAction { public void handle(Request request, Response response) throws Exception { try (DbSession dbSession = dbClient.openSession(false)) { SetRequest wsRequest = toWsRequest(request); + throwIfForbiddenKey(wsRequest.getKey()); SettingsWsSupport.validateKey(wsRequest.getKey()); doHandle(dbSession, wsRequest); } response.noContent(); } + private static void throwIfForbiddenKey(String key) { + if (FORBIDDEN_KEYS.contains(key)) { + throw new IllegalArgumentException(format("For security reasons, the key '%s' cannot be updated using this webservice. Please use the API v2", key)); + } + } + private void doHandle(DbSession dbSession, SetRequest request) { Optional<EntityDto> component = searchEntity(dbSession, request); String projectKey = component.map(EntityDto::getKey).orElse(null); |