[SECURITY-810] require POST for repo browser check

See https://jenkins.io/doc/developer/security/form-validation/ for stapler
security guidelines.  I assume the repo URL check is "state changing"
because it opens an external URL.  Therefore, the request requires POST
instead of GET.

Author: MarkEWaite

src/main/java/hudson/plugins/git/browser/AssemblaWeb.java

@@ -12,6 +12,7 @@
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -96,6 +97,7 @@ public AssemblaWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObjec
             return req.bindJSON(AssemblaWeb.class, jsonObject);
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url)
                 throws IOException, ServletException {
             if (url == null) // nothing entered yet

src/main/java/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser.java

@@ -12,6 +12,7 @@
 import hudson.util.FormValidation.URLCheck;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -87,6 +88,7 @@ public FisheyeGitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSON
                  * @throws IOException on input or output error
                  * @throws ServletException on servlet error
 		 */
+		@RequirePOST
 		@SuppressFBWarnings(value="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE", justification="Jenkins.getInstance() is not null")
 		public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String value) throws IOException,
 				ServletException {

src/main/java/hudson/plugins/git/browser/GitBlitRepositoryBrowser.java

@@ -11,6 +11,7 @@
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -79,6 +80,7 @@ public GitBlitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSONObj
             return req.bindJSON(GitBlitRepositoryBrowser.class, jsonObject);
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url)
                 throws IOException, ServletException {
             if (url == null) // nothing entered yet

src/main/java/hudson/plugins/git/browser/Gitiles.java

@@ -19,6 +19,7 @@
 import net.sf.json.JSONObject;
 
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -68,6 +69,7 @@ public Gitiles newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject) t
             return req.bindJSON(Gitiles.class, jsonObject);
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
             if (url == null) // nothing entered yet
                 return FormValidation.ok();

src/main/java/hudson/plugins/git/browser/TFS2013GitRepositoryBrowser.java

@@ -14,6 +14,7 @@
 import org.eclipse.jgit.transport.RemoteConfig;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -108,6 +109,7 @@ public TFS2013GitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSON
          * @throws IOException on input or output error
          * @throws ServletException on servlet error
          */
+        @RequirePOST
         public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String value, @AncestorInPath AbstractProject project) throws IOException,
                 ServletException {
 

src/main/java/hudson/plugins/git/browser/ViewGitWeb.java

@@ -12,6 +12,7 @@
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -87,6 +88,7 @@ public ViewGitWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject
             return req.bindJSON(ViewGitWeb.class, jsonObject);
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
             if (url == null) // nothing entered yet
                 return FormValidation.ok();

src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly

@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry field="repoUrl" title="${%Assembla Git URL}">
-    <f:textbox/>
+    <f:textbox checkMethod="post" />
   </f:entry>
 </j:jelly>

src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly

@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry field="repoUrl" title="${%URL}">
-    <f:textbox/>
+    <f:textbox checkMethod="post" />
   </f:entry>
 </j:jelly>

src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly

@@ -1,7 +1,7 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry field="repoUrl" title="${%GitBlit root url}">
-    <f:textbox/>
+    <f:textbox checkMethod="post" />
   </f:entry>
   <f:entry field="projectName" title="${%Project name in GitBlit}">
     <f:textbox/>

src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly

@@ -1,6 +1,6 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry field="repoUrl" title="${%URL}">
-    <f:textbox/>
+    <f:textbox checkMethod="post" />
   </f:entry>
 </j:jelly>