Addressed Jenkins security issues

nbhoski · nbhoski · commit de1e2644fd5d · 2023-11-09T15:15:04.000+05:30
diff --git a/src/main/java/com/mathworks/ci/MatlabBuilder.java b/src/main/java/com/mathworks/ci/MatlabBuilder.java
@@ -150,6 +150,7 @@ public DescriptorExtensionList<TestRunTypeList, Descriptor<TestRunTypeList>> get
 
 
         public FormValidation doCheckMatlabRoot(@QueryParameter String matlabRoot) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             setMatlabRoot(matlabRoot);
             List<Function<String, FormValidation>> listOfCheckMethods =
                     new ArrayList<Function<String, FormValidation>>();
diff --git a/src/main/java/com/mathworks/ci/MatlabReleaseInfo.java b/src/main/java/com/mathworks/ci/MatlabReleaseInfo.java
@@ -18,13 +18,15 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import org.apache.commons.collections.MapUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.FilePath;
+import org.xml.sax.SAXException;
 
 public class MatlabReleaseInfo {
     private FilePath matlabRoot;
@@ -82,6 +84,15 @@ private Map<String, String> getVersionInfoFromFile() throws MatlabVersionNotFoun
                 FilePath versionFile = new FilePath(this.matlabRoot, VERSION_INFO_FILE);
                 if(versionFile.exists()) {
                     DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+                    String FEATURE = null;
+                    try{
+                        FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+                        dbFactory.setFeature(FEATURE, true);
+                        dbFactory.setXIncludeAware(false);
+
+                    } catch (ParserConfigurationException e) {
+                        throw new MatlabVersionNotFoundException("Error parsing verify if XML is valid", e);
+                    }
                     DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
                     Document doc = dBuilder.parse(versionFile.read());
                     
diff --git a/src/main/java/com/mathworks/ci/UseMatlabVersionBuildWrapper.java b/src/main/java/com/mathworks/ci/UseMatlabVersionBuildWrapper.java
@@ -17,6 +17,7 @@
 
 import hudson.matrix.MatrixProject;
 import hudson.model.Computer;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
@@ -139,6 +140,7 @@ public String getMatlabAxisWarning() {
          */
 
         public FormValidation doCheckMatlabRootFolder(@QueryParameter String matlabRootFolder) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             List<Function<String, FormValidation>> listOfCheckMethods =
                     new ArrayList<Function<String, FormValidation>>();
             listOfCheckMethods.add(chkMatlabEmpty);
