From 3727b06cb2d337f6f9f3d3f4936713b17ec1e564 Mon Sep 17 00:00:00 2001 From: Antoine Vigneau Date: Sat, 8 Jun 2024 07:32:41 +0200 Subject: SONAR-22363 Fix SSF-572 --- .../src/it/java/org/sonar/server/setting/ws/SetActionIT.java | 10 ++++++++++ .../src/main/java/org/sonar/server/setting/ws/SetAction.java | 12 ++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) (limited to 'server/sonar-webserver-webapi') diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java index 314851cca4f..e61fd9d52eb 100644 --- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java +++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java @@ -1128,6 +1128,16 @@ public class SetActionIT { .hasMessage(format("Setting '%s' can only be used in sonar.properties", settingKey)); } + @Test + public void fail_when_setting_key_is_forbidden() { + TestRequest testRequest = ws.newRequest() + .setParam("key", "sonar.auth.gitlab.url") + .setParam("value", "http://malicious.url"); + assertThatThrownBy(testRequest::execute) + .isInstanceOf(IllegalArgumentException.class) + .hasMessage("For security reasons, the key 'sonar.auth.gitlab.url' cannot be updated using this webservice. Please use the API v2"); + } + @Test public void definition() { WebService.Action definition = ws.getDef(); diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java index 5a87916e21d..034a2478dcd 100644 --- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java +++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/setting/ws/SetAction.java @@ -69,8 +69,9 @@ public class SetAction implements SettingsWsAction { private static final Collector COMMA_JOINER = Collectors.joining(","); private static final String MSG_NO_EMPTY_VALUE = "A non empty value must be provided"; private static final int VALUE_MAXIMUM_LENGTH = 4000; - private static final TypeToken> MAP_TYPE_TOKEN = new TypeToken<>() { - }; + private static final TypeToken> MAP_TYPE_TOKEN = new TypeToken<>() {}; + private static final Set FORBIDDEN_KEYS = Set.of("sonar.auth.gitlab.url"); + private final PropertyDefinitions propertyDefinitions; private final DbClient dbClient; @@ -138,12 +139,19 @@ public class SetAction implements SettingsWsAction { public void handle(Request request, Response response) throws Exception { try (DbSession dbSession = dbClient.openSession(false)) { SetRequest wsRequest = toWsRequest(request); + throwIfForbiddenKey(wsRequest.getKey()); SettingsWsSupport.validateKey(wsRequest.getKey()); doHandle(dbSession, wsRequest); } response.noContent(); } + private static void throwIfForbiddenKey(String key) { + if (FORBIDDEN_KEYS.contains(key)) { + throw new IllegalArgumentException(format("For security reasons, the key '%s' cannot be updated using this webservice. Please use the API v2", key)); + } + } + private void doHandle(DbSession dbSession, SetRequest request) { Optional component = searchEntity(dbSession, request); String projectKey = component.map(EntityDto::getKey).orElse(null); -- cgit v1.2.3