Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code cleanup after upgrade #80

Merged
merged 10 commits into from
Aug 26, 2024

Conversation

mig42
Copy link
Contributor

@mig42 mig42 commented Aug 23, 2024

After upgrading the minimum Jenkins version to 2.440.3 and the Java version to 17, there are a few warnings popping up. We're also using deprecated code and outdated java statements that would benefit from an upgrade.

There are also four security alerts fixed in this PR:

Testing done

I tested the plugin manually in the official docker container. The CmTool, its custom installer and the two VCS implementations (mergebot and regular) worked as expected, for pipelines and freestyle projects.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

mig42 added 10 commits August 23, 2024 10:02
According to
https://www.jenkins.io/doc/developer/security/form-validation/#protecting-from-csrf,
the @RequirePOST is an older annotation for preventing CSRF which
presents a form for the user to resubmit the request using POST.

However, in this case we can safely use the newer @post annotation,
which limits processing to the POST verb. Other verbs will return a 404
response. It's the recommended action for validation methods.

Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Signed-off-by: Miguel González <[email protected]>
Copy link
Collaborator

@pablobayarri pablobayarri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mig42 mig42 merged commit 9e6b718 into master Aug 26, 2024
16 checks passed
@mig42 mig42 deleted the miguel/fix-security-alerts/missing-post-annotation branch August 26, 2024 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants