Merge pull request #270 from mathworks/dev_main

Fixed security issue

Author: nbhoski

src/main/java/com/mathworks/ci/MatlabBuilder.java

@@ -8,6 +8,8 @@
  * [email protected] Date : 28/03/2018 (Initial draft)
  */
 
+import hudson.model.Item;
+import hudson.security.Permission;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -19,6 +21,7 @@
 import javax.annotation.Nonnull;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang.ArrayUtils;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
@@ -43,6 +46,7 @@
 import jenkins.model.Jenkins;
 import jenkins.tasks.SimpleBuildStep;
 import net.sf.json.JSONObject;
+import org.kohsuke.stapler.verb.POST;
 
 public class MatlabBuilder extends Builder implements SimpleBuildStep {
 
@@ -148,8 +152,12 @@ public DescriptorExtensionList<TestRunTypeList, Descriptor<TestRunTypeList>> get
          * descriptor class.
          */
 
-
-        public FormValidation doCheckMatlabRoot(@QueryParameter String matlabRoot) {
+        @POST
+        public FormValidation doCheckMatlabRoot(@QueryParameter String matlabRoot, @AncestorInPath Item item) {
+            if (item == null) {
+                return FormValidation.ok();
+            }
+            item.checkPermission(Item.CONFIGURE);
             setMatlabRoot(matlabRoot);
             List<Function<String, FormValidation>> listOfCheckMethods =
                     new ArrayList<Function<String, FormValidation>>();

src/main/java/com/mathworks/ci/MatlabReleaseInfo.java

@@ -18,13 +18,15 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import org.apache.commons.collections.MapUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.FilePath;
+import org.xml.sax.SAXException;
 
 public class MatlabReleaseInfo {
     private FilePath matlabRoot;
@@ -82,6 +84,15 @@ private Map<String, String> getVersionInfoFromFile() throws MatlabVersionNotFoun
                 FilePath versionFile = new FilePath(this.matlabRoot, VERSION_INFO_FILE);
                 if(versionFile.exists()) {
                     DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+                    String FEATURE = null;
+                    try{
+                        FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+                        dbFactory.setFeature(FEATURE, true);
+                        dbFactory.setXIncludeAware(false);
+
+                    } catch (ParserConfigurationException e) {
+                        throw new MatlabVersionNotFoundException("Error parsing verify if XML is valid", e);
+                    }
                     DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
                     Document doc = dBuilder.parse(versionFile.read());
 

src/main/java/com/mathworks/ci/UseMatlabVersionBuildWrapper.java

@@ -8,6 +8,8 @@
  *
  */
 
+import hudson.model.Item;
+import hudson.security.Permission;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
@@ -17,6 +19,8 @@
 
 import hudson.matrix.MatrixProject;
 import hudson.model.Computer;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
@@ -31,6 +35,7 @@
 import hudson.tasks.BuildWrapperDescriptor;
 import hudson.util.FormValidation;
 import jenkins.tasks.SimpleBuildWrapper;
+import org.kohsuke.stapler.verb.POST;
 
 public class UseMatlabVersionBuildWrapper extends SimpleBuildWrapper {
 
@@ -137,8 +142,12 @@ public String getMatlabAxisWarning() {
          * these methods are used to perform basic validation on UI elements associated with this
          * descriptor class.
          */
-
-        public FormValidation doCheckMatlabRootFolder(@QueryParameter String matlabRootFolder) {
+        @POST
+        public FormValidation doCheckMatlabRootFolder(@QueryParameter String matlabRootFolder, @AncestorInPath Item item) {
+            if (item == null) {
+                return FormValidation.ok();
+            }
+            item.checkPermission(Item.CONFIGURE);
             List<Function<String, FormValidation>> listOfCheckMethods =
                     new ArrayList<Function<String, FormValidation>>();
             listOfCheckMethods.add(chkMatlabEmpty);

src/main/resources/com/mathworks/ci/MatlabBuilder/config.jelly

@@ -4,7 +4,7 @@
  <font color="red">Using this build step is not recommended and will be removed in a feature release. Use “Run MATLAB Tests” or “Run MATLAB Command” instead.</font>   
  <f:section>
 	  <f:entry title="MATLAB root " field="matlabRoot">
-	        <f:textbox disabled="disabled"/>
+	        <f:textbox disabled="disabled" checkMethod="post" />
 	  </f:entry> 
 </f:section>
 <f:dropdownDescriptorSelector title="Test mode" field="testRunTypeList" descriptors="${descriptor.testRunTypeDescriptor}" selected="${instance.testRunTypeList}" disabled="true"/>

src/main/resources/com/mathworks/ci/UseMatlabVersionBuildWrapper/config.jelly

@@ -18,7 +18,7 @@
 				<j:choose>
 					<j:when test="${loop.last}">
 						<f:entry title="MATLAB root: " field="matlabRootFolder">
-							<f:textbox/>
+							<f:textbox checkMethod="post"/>
 						</f:entry>
 					</j:when>
 				</j:choose>