From 1d5e1e9e457af5e8ce8c9a403933d6cb73542dbd Mon Sep 17 00:00:00 2001
From: Eduard Tita <49167996+eduard-tita@users.noreply.github.com>
Date: Tue, 7 Nov 2023 10:48:10 -0500
Subject: [PATCH]  Add protection from CSRF (#291)

---
 pom.xml                                                  | 2 +-
 .../sonatype/nexus/ci/config/NxiqConfiguration.groovy    | 9 +++++++++
 .../sonatype/nexus/ci/config/Nxrm2Configuration.groovy   | 5 +++++
 .../sonatype/nexus/ci/config/Nxrm3Configuration.groovy   | 5 +++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b471949c..19ca3414 100644
--- a/pom.xml
+++ b/pom.xml
@@ -85,7 +85,7 @@
     <enforcer.skip>true</enforcer.skip> <!-- TODO numerous requireUpperBoundDeps, some probably indicative of real problems -->
     <jvnet-localizer-plugin.version>1.23</jvnet-localizer-plugin.version>
     <forkCount>1</forkCount>
-    <nexus-platform-api.version>4.3.1-01</nexus-platform-api.version>
+    <nexus-platform-api.version>4.3.2-01</nexus-platform-api.version>
 
     <buildsupport.version>36</buildsupport.version>
     <buildsupport.license-maven-plugin.version>4.1</buildsupport.license-maven-plugin.version>
diff --git a/src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy b/src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy
index 767a228d..1482121b 100644
--- a/src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy
+++ b/src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy
@@ -24,6 +24,7 @@ import hudson.util.ListBoxModel
 import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 class NxiqConfiguration
     implements Describable<NxiqConfiguration>
@@ -83,7 +84,9 @@ class NxiqConfiguration
       Messages.NxiqConfiguration_DisplayName()
     }
 
+    @POST
     FormValidation doCheckDisplayName(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.displayName == value) {
@@ -93,7 +96,9 @@ class NxiqConfiguration
       return FormUtil.validateNotEmpty(value, 'Display Name is required')
     }
 
+    @POST
     FormValidation doCheckId(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.id == value) {
@@ -108,7 +113,9 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doCheckServerUrl(@QueryParameter String value) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def validation = FormUtil.validateUrl(value)
       if (validation.kind == Kind.OK) {
         validation = FormUtil.validateNotEmpty(value, Messages.Configuration_ServerUrlRequired())
@@ -123,10 +130,12 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doVerifyCredentials(
         @QueryParameter String serverUrl,
         @QueryParameter String credentialsId) throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       return IqUtil.verifyJobCredentials(serverUrl, credentialsId, Jenkins.instance)
     }
   }
diff --git a/src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy b/src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy
index f90d95c1..699ba82c 100644
--- a/src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy
+++ b/src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy
@@ -18,8 +18,10 @@ import org.sonatype.nexus.ci.config.NxrmConfiguration.NxrmDescriptor
 
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -58,9 +60,12 @@ class Nxrm2Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       try {
         def repositories = getApplicableRepositories(serverUrl, credentialsId)
 
diff --git a/src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy b/src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy
index 409a6dbc..97d0732d 100644
--- a/src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy
+++ b/src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy
@@ -17,8 +17,10 @@ import com.sonatype.nexus.api.exception.RepositoryManagerException
 import groovy.util.logging.Log
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -80,9 +82,12 @@ class Nxrm3Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       def repositories
       def badVersionMsg = ''