From d176756f1746f1ed69849b497e31c0f033c1a446 Mon Sep 17 00:00:00 2001
From: Desprez Jean-Marc <jmdesprez@cloudbees.com>
Date: Sat, 10 Aug 2024 22:56:11 +0200
Subject: [PATCH] [JENKINS-73499] Add a warning if there is a risk of exposing
 credentials through a non-TLS proxy connection (#9491)

---
 .../main/java/hudson/ProxyConfiguration.java  | 28 +++++++++++++++++++
 .../main/resources/hudson/Messages.properties |  1 +
 .../resources/hudson/Messages_es.properties   |  1 +
 .../resources/hudson/Messages_fr.properties   |  1 +
 .../resources/hudson/Messages_it.properties   |  1 +
 5 files changed, 32 insertions(+)

diff --git a/core/src/main/java/hudson/ProxyConfiguration.java b/core/src/main/java/hudson/ProxyConfiguration.java
index fa4206521ee6..cc5b30d956dc 100644
--- a/core/src/main/java/hudson/ProxyConfiguration.java
+++ b/core/src/main/java/hudson/ProxyConfiguration.java
@@ -540,6 +540,34 @@ public FormValidation doCheckPort(@QueryParameter String value) {
             return FormValidation.ok();
         }
 
+        /**
+         * Do check if the provided value is empty or composed of whitespaces.
+         * If so, return a validation warning.
+         *
+         * @param value the value to test
+         * @return a validation warning iff the provided value is empty or composed of whitespaces.
+         */
+        private static FormValidation checkProxyCredentials(String value) {
+            value = Util.fixEmptyAndTrim(value);
+            if (value == null) {
+                return FormValidation.ok();
+            } else {
+                return FormValidation.warning(Messages.ProxyConfiguration_NonTLSWarning());
+            }
+        }
+
+        @RequirePOST
+        @Restricted(NoExternalUse.class)
+        public FormValidation doCheckUserName(@QueryParameter String value) {
+            return checkProxyCredentials(value);
+        }
+
+        @RequirePOST
+        @Restricted(NoExternalUse.class)
+        public FormValidation doCheckSecretPassword(@QueryParameter String value) {
+            return checkProxyCredentials(value);
+        }
+
         @RequirePOST
         @Restricted(NoExternalUse.class)
         public FormValidation doValidateProxy(
diff --git a/core/src/main/resources/hudson/Messages.properties b/core/src/main/resources/hudson/Messages.properties
index b7f96a97bb2c..99c77ebbed46 100644
--- a/core/src/main/resources/hudson/Messages.properties
+++ b/core/src/main/resources/hudson/Messages.properties
@@ -110,6 +110,7 @@ ProxyConfiguration.TestUrlRequired=Test URL is required.
 ProxyConfiguration.MalformedTestUrl=Malformed Test URL {0}.
 ProxyConfiguration.FailedToConnectViaProxy=Failed to connect to {0}.
 ProxyConfiguration.FailedToConnect=Failed to connect to {0} (code {1}).
+ProxyConfiguration.NonTLSWarning=Jenkins only supports using an http connection to the proxy. The credentials may be exposed to someone on the same network.
 ProxyConfiguration.Success=Success (code {0})
 
 Functions.NoExceptionDetails=No Exception details
diff --git a/core/src/main/resources/hudson/Messages_es.properties b/core/src/main/resources/hudson/Messages_es.properties
index d1ae229de9bc..298ef23821d8 100644
--- a/core/src/main/resources/hudson/Messages_es.properties
+++ b/core/src/main/resources/hudson/Messages_es.properties
@@ -99,6 +99,7 @@ ProxyConfiguration.TestUrlRequired=Se requiere un URL de prueba.
 ProxyConfiguration.MalformedTestUrl=La URL de prueba está mal formada.
 ProxyConfiguration.FailedToConnectViaProxy=No se puede conectar a {0}.
 ProxyConfiguration.FailedToConnect=No se puede conectar a {0} (código {1}).
+ProxyConfiguration.NonTLSWarning=Jenkins solo soporta conexiones http con el proxy. Las credenciales podrían quedar expuestas a cualquiera que se encuentre en la misma red.
 ProxyConfiguration.Success=Configurado (código {0})
 
 Functions.NoExceptionDetails=No hay detalles de la excepción
diff --git a/core/src/main/resources/hudson/Messages_fr.properties b/core/src/main/resources/hudson/Messages_fr.properties
index db45e76ab397..1e0286deddc5 100644
--- a/core/src/main/resources/hudson/Messages_fr.properties
+++ b/core/src/main/resources/hudson/Messages_fr.properties
@@ -109,6 +109,7 @@ ProxyConfiguration.TestUrlRequired=Une URL de test est requise.
 ProxyConfiguration.MalformedTestUrl=L''URL de test {0} n''est pas correctement formée.
 ProxyConfiguration.FailedToConnectViaProxy=Impossible de se connecter à {0}.
 ProxyConfiguration.FailedToConnect=Impossible de se connecter à {0} (code {1}).
+ProxyConfiguration.NonTLSWarning=Jenkins ne prend en charge que l''utilisation d''une connexion http vers le proxy. Les informations d''identification peuvent être exposées à une personne qui se trouve sur le même réseau.
 ProxyConfiguration.Success=Succès (code {0})
 
 Functions.NoExceptionDetails=Aucun détail concernant l''exception
diff --git a/core/src/main/resources/hudson/Messages_it.properties b/core/src/main/resources/hudson/Messages_it.properties
index b929e6447cf8..2747e2d39366 100644
--- a/core/src/main/resources/hudson/Messages_it.properties
+++ b/core/src/main/resources/hudson/Messages_it.properties
@@ -106,6 +106,7 @@ PluginWrapper.PluginWrapperAdministrativeMonitor.DisplayName=Errore \
 ProxyConfiguration.FailedToConnect=Impossibile connettersi a {0} (codice {1}).
 ProxyConfiguration.FailedToConnectViaProxy=Impossibile connettersi a {0}.
 ProxyConfiguration.MalformedTestUrl=URL di prova {0} malformato.
+ProxyConfiguration.NonTLSWarning=Jenkins supporta solo l''utilizzo di una connessione http al proxy. Le credenziali potrebbero essere esposte a qualcuno sulla stessa rete.
 ProxyConfiguration.Success=Connessione riuscita (codice {0})
 ProxyConfiguration.TestUrlRequired=È richiesto un URL di prova.
 TcpSlaveAgentListener.PingAgentProtocol.displayName=Protocollo ping