Merge pull request #159 from KostyaSha/suckurity-170

Whitelist parameters for security-170

Author: KostyaSha

github-pullrequest-plugin/src/main/java/com/github/kostyasha/github/integration/branch/trigger/JobRunnerForBranchCause.java

@@ -19,7 +19,12 @@
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import static com.cloudbees.jenkins.GitHubWebHook.getJenkinsInstance;
 import static com.github.kostyasha.github.integration.branch.data.GitHubBranchEnv.CAUSE_SKIP;
@@ -111,8 +116,9 @@ private static boolean cancelQueuedBuildByBranchName(final String branch) {
     }
 
     private QueueTaskFuture<?> startJob(GitHubBranchCause cause) {
-        List<ParameterValue> values = getDefaultParametersValues(job);
-        values.addAll(asList(
+        ParametersAction parametersAction;
+        List<ParameterValue> parameters = getDefaultParametersValues(job);
+        final List<ParameterValue> pluginParameters = asList(
                 //GitHubBranchEnv
                 NAME.param(cause.getBranchName()),
                 SHORT_DESC.param(cause.getShortDescription()),
@@ -124,14 +130,27 @@ private QueueTaskFuture<?> startJob(GitHubBranchCause cause) {
                 //GitHubRepoEnv
                 GIT_URL.param(cause.getGitUrl()),
                 SSH_URL.param(cause.getSshUrl())
-        ));
+        );
+        parameters.addAll(pluginParameters);
+
+        try {
+            Constructor<ParametersAction> constructor = ParametersAction.class.getConstructor(List.class, Collection.class);
+            Set<String> names = new HashSet<>();
+            for (ParameterValue param : parameters) {
+                names.add(param.getName());
+            }
+            parametersAction = constructor.newInstance(parameters, names);
+        } catch (NoSuchMethodException | IllegalAccessException | InstantiationException
+                | InvocationTargetException ex) {
+            parametersAction = new ParametersAction(parameters);
+        }
 
         GitHubBranchBadgeAction gitHubBadgeAction = new GitHubBranchBadgeAction(cause);
 
         //TODO no way to get quietPeriod, so temporary ignore it
         return asParameterizedJobMixIn(job).scheduleBuild2(0,
                 new CauseAction(cause),
-                new ParametersAction(values),
+                parametersAction,
                 gitHubBadgeAction);
     }
 

github-pullrequest-plugin/src/main/java/org/jenkinsci/plugins/github/pullrequest/trigger/JobRunnerForCause.java

@@ -32,8 +32,12 @@
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import static com.cloudbees.jenkins.GitHubWebHook.getJenkinsInstance;
 import static com.google.common.base.Predicates.instanceOf;
@@ -257,8 +261,9 @@ public int cancelQueuedBuildByPrNumber(final int id) {
     }
 
     private QueueTaskFuture<?> startJob(GitHubPRCause cause) {
-        List<ParameterValue> values = getDefaultParametersValues(job);
-        values.addAll(asList(
+        ParametersAction parametersAction;
+        List<ParameterValue> parameters = getDefaultParametersValues(job);
+        final List<ParameterValue> pluginParameters = asList(
                 TRIGGER_SENDER_AUTHOR.param(cause.getTriggerSenderName()),
                 TRIGGER_SENDER_EMAIL.param(cause.getTriggerSenderEmail()),
                 COMMIT_AUTHOR_NAME.param(cause.getCommitAuthorName()),
@@ -275,7 +280,21 @@ private QueueTaskFuture<?> startJob(GitHubPRCause cause) {
                 CAUSE_SKIP.param(cause.isSkip()),
                 NUMBER.param(String.valueOf(cause.getNumber())),
                 STATE.param(String.valueOf(cause.getState()))
-        ));
+        );
+        parameters.addAll(pluginParameters);
+
+        try {
+            Constructor<ParametersAction> constructor = ParametersAction.class.getConstructor(List.class, Collection.class);
+            Set<String> names = new HashSet<>();
+            for (ParameterValue param : pluginParameters) {
+                names.add(param.getName());
+            }
+            parametersAction = constructor.newInstance(parameters, names);
+        } catch (NoSuchMethodException | IllegalAccessException | InstantiationException
+                | InvocationTargetException ex) {
+            parametersAction = new ParametersAction(parameters);
+        }
+
         GitHubPRBadgeAction gitHubPRBadgeAction = new GitHubPRBadgeAction(cause);
 
         ParameterizedJobMixIn parameterizedJobMixIn = asParameterizedJobMixIn(job);
@@ -290,8 +309,12 @@ private QueueTaskFuture<?> startJob(GitHubPRCause cause) {
             LOGGER.error("Couldn't extract quiet period, falling back to {}", quietPeriod, e);
         }
 
-        return parameterizedJobMixIn.scheduleBuild2(quietPeriod, new CauseAction(cause), new ParametersAction(values),
-                gitHubPRBadgeAction);
+        return parameterizedJobMixIn.scheduleBuild2(
+                quietPeriod,
+                new CauseAction(cause),
+                parametersAction,
+                gitHubPRBadgeAction
+        );
     }
 
     protected static class CausesFromAction implements Function<Action, Iterable<Cause>> {