Fix SECURITY-1523 / CVE-2020-2150 (#34)

* Use Secret instead of Sting in getToken method * Update token form filed to be password type
jenkinsci · Aug 16, 2024 · 0a35c49 · 0a35c49
1 parent 3a73b38
commit 0a35c49
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 10 deletions.
diff --git a/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigDataForSonarInstance.java b/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigDataForSonarInstance.java
@@ -21,7 +21,7 @@ public class GlobalConfigDataForSonarInstance {
 
     private Secret secretPass;
 
-    private String token;
+    private Secret token;
 
     private int timeToWait;
 
@@ -55,7 +55,7 @@ public GlobalConfigDataForSonarInstance(String name, String sonarUrl, String use
     }
 
     public GlobalConfigDataForSonarInstance(
-            String name, String sonarUrl, String token, int timeToWait, int maxWaitTime) {
+            String name, String sonarUrl, Secret token, int timeToWait, int maxWaitTime) {
 
         this.name = name;
         this.sonarUrl = sonarUrl;
@@ -112,12 +112,12 @@ public void setMaxWaitTime(int maxWaitTime) {
         this.maxWaitTime = maxWaitTime;
     }
 
-    public String getToken() {
-        return token;
+    public Secret getToken() {
+        return token != null ? token : Secret.fromString("");
     }
 
     public void setToken(String token) {
-        this.token = token;
+        this.token = Secret.fromString(Util.fixEmptyAndTrim(token));
     }
 
     @Override

diff --git a/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigurationService.java b/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigurationService.java
@@ -75,7 +75,11 @@ protected void addGlobalConfigDataForSonarInstance(JSONObject globalConfigData)
             String token = globalConfigData.optString("token");
             if (StringUtils.isNotEmpty(token)) {
                 globalConfigDataForSonarInstance = new GlobalConfigDataForSonarInstance(
-                        name, url, globalConfigData.optString("token"), timeToWait, maxWaitTime);
+                        name,
+                        url,
+                        Secret.fromString(Util.fixEmptyAndTrim(globalConfigData.optString("token"))),
+                        timeToWait,
+                        maxWaitTime);
             } else {
                 globalConfigDataForSonarInstance = new GlobalConfigDataForSonarInstance(
                         name,

diff --git a/src/main/java/org/quality/gates/sonar/api/SonarHttpRequester.java b/src/main/java/org/quality/gates/sonar/api/SonarHttpRequester.java
@@ -74,8 +74,8 @@ private void loginApi(GlobalConfigDataForSonarInstance globalConfigDataForSonarI
 
         httpClientContext = HttpClientContext.create();
 
-        if (StringUtils.isNotEmpty(globalConfigDataForSonarInstance.getToken())) {
-            token = globalConfigDataForSonarInstance.getToken();
+        if (StringUtils.isNotEmpty(globalConfigDataForSonarInstance.getToken().getPlainText())) {
+            token = globalConfigDataForSonarInstance.getToken().getPlainText();
             httpClient = HttpClientBuilder.create().build();
         } else {
             CredentialsProvider credsProvider = new BasicCredentialsProvider();

diff --git a/src/main/java/org/quality/gates/sonar/api/SonarInstanceValidationService.java b/src/main/java/org/quality/gates/sonar/api/SonarInstanceValidationService.java
@@ -50,7 +50,7 @@ private Secret validatePassword(GlobalConfigDataForSonarInstance globalConfigDat
 
     GlobalConfigDataForSonarInstance validateData(GlobalConfigDataForSonarInstance globalConfigDataForSonarInstance) {
 
-        if (StringUtils.isNotEmpty(globalConfigDataForSonarInstance.getToken())) {
+        if (StringUtils.isNotEmpty(globalConfigDataForSonarInstance.getToken().getPlainText())) {
             return new GlobalConfigDataForSonarInstance(
                     globalConfigDataForSonarInstance.getName(),
                     validateUrl(globalConfigDataForSonarInstance),

diff --git a/src/main/resources/org/quality/gates/jenkins/plugin/GlobalConfig/config.jelly b/src/main/resources/org/quality/gates/jenkins/plugin/GlobalConfig/config.jelly
@@ -22,7 +22,7 @@
                                                 <f:textbox name="url" value="${globalConfigData.sonarUrl}" />
                                           </f:entry>
                                            <f:entry field="token" title="SonarQube account token" description="Use token instead of user and password" >
-                                                 <f:textbox name="token" value="${globalConfigData.token}" />
+                                                 <f:password name="token" value="${globalConfigData.token}" />
                                            </f:entry>
                                            <f:entry field="username" title="SonarQube account login" description="Default value is 'admin'" >
                                                  <f:textbox name="account" value="${globalConfigData.username}" />