aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-webserver-webapi
diff options
context:
space:
mode:
authorAntoine Vigneau <antoine.vigneau@sonarsource.com>2024-06-08 07:32:41 +0200
committersonartech <sonartech@sonarsource.com>2024-06-13 20:02:33 +0000
commit3727b06cb2d337f6f9f3d3f4936713b17ec1e564 (patch)
treebf9f6dfbac5a127bc60b327afa04b2365b26f901 /server/sonar-webserver-webapi
parentf2fdc6787513a65f3d1477b38a1fbac67607d6d9 (diff)
downloadsonarqube-3727b06cb2d337f6f9f3d3f4936713b17ec1e564.tar.gz
sonarqube-3727b06cb2d337f6f9f3d3f4936713b17ec1e564.zip
SONAR-22363 Fix SSF-572
Diffstat (limited to 'server/sonar-webserver-webapi')
-rw-r--r--server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java10
-rw-r--r--server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java12
2 files changed, 20 insertions, 2 deletions
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
index 314851cca4f..e61fd9d52eb 100644
--- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
+++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
@@ -1129,6 +1129,16 @@ public class SetActionIT {
}
@Test
+ public void fail_when_setting_key_is_forbidden() {
+ TestRequest testRequest = ws.newRequest()
+ .setParam("key", "sonar.auth.gitlab.url")
+ .setParam("value", "http://malicious.url");
+ assertThatThrownBy(testRequest::execute)
+ .isInstanceOf(IllegalArgumentException.class)
+ .hasMessage("For security reasons, the key 'sonar.auth.gitlab.url' cannot be updated using this webservice. Please use the API v2");
+ }
+
+ @Test
public void definition() {
WebService.Action definition = ws.getDef();
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
index 5a87916e21d..034a2478dcd 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java
@@ -69,8 +69,9 @@ public class SetAction implements SettingsWsAction {
private static final Collector<CharSequence, ?, String> COMMA_JOINER = Collectors.joining(",");
private static final String MSG_NO_EMPTY_VALUE = "A non empty value must be provided";
private static final int VALUE_MAXIMUM_LENGTH = 4000;
- private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() {
- };
+ private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() {};
+ private static final Set<String> FORBIDDEN_KEYS = Set.of("sonar.auth.gitlab.url");
+
private final PropertyDefinitions propertyDefinitions;
private final DbClient dbClient;
@@ -138,12 +139,19 @@ public class SetAction implements SettingsWsAction {
public void handle(Request request, Response response) throws Exception {
try (DbSession dbSession = dbClient.openSession(false)) {
SetRequest wsRequest = toWsRequest(request);
+ throwIfForbiddenKey(wsRequest.getKey());
SettingsWsSupport.validateKey(wsRequest.getKey());
doHandle(dbSession, wsRequest);
}
response.noContent();
}
+ private static void throwIfForbiddenKey(String key) {
+ if (FORBIDDEN_KEYS.contains(key)) {
+ throw new IllegalArgumentException(format("For security reasons, the key '%s' cannot be updated using this webservice. Please use the API v2", key));
+ }
+ }
+
private void doHandle(DbSession dbSession, SetRequest request) {
Optional<EntityDto> component = searchEntity(dbSession, request);
String projectKey = component.map(EntityDto::getKey).orElse(null);