SECURITY-2467

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java

@@ -120,6 +120,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * SCM source implementation for Bitbucket.
@@ -1171,6 +1172,7 @@ public ListBoxModel doFillCredentialsIdItems(@AncestorInPath SCMSourceOwner cont
         }
 
         @SuppressWarnings("unused") // used By stapler
+        @RequirePOST
         public ListBoxModel doFillRepositoryItems(@AncestorInPath SCMSourceOwner context,
                                                   @QueryParameter String serverUrl,
                                                   @QueryParameter String credentialsId,

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketCloudEndpoint.java

@@ -154,7 +154,7 @@ public String getDisplayName() {
         }
 
         public FormValidation doShowStats() {
-            Jenkins.get().checkPermission(Jenkins.MANAGE);
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             List<String> stats = BitbucketCloudApiClient.stats();
             StringBuilder builder = new StringBuilder();
             for (String stat : stats) {
@@ -165,7 +165,7 @@ public FormValidation doShowStats() {
 
         @POST
         public FormValidation doClear() {
-            Jenkins.get().checkPermission(Jenkins.MANAGE);
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             BitbucketCloudApiClient.clearCaches();
             return FormValidation.ok("Caches cleared");
         }

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/Security2467Test.java

@@ -0,0 +1,39 @@
+package com.cloudbees.jenkins.plugins.bitbucket;
+
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import java.net.HttpURLConnection;
+import jenkins.model.Jenkins;
+import org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
+public class Security2467Test {
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Issue("SECURITY-2467")
+    @Test
+    public void doFillRepositoryItemsWhenInvokedUsingGetMethodThenReturnMethodNotAllowed() throws Exception {
+        String admin = "Admin";
+        String projectName = "p";
+        WorkflowMultiBranchProject pr = j.jenkins.createProject(WorkflowMultiBranchProject.class, projectName);
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
+                grant(Jenkins.ADMINISTER).everywhere().to(admin));
+
+        JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+        webClient.login(admin);
+        HtmlPage htmlPage = webClient.goTo("job/" + projectName +"/descriptorByName/com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource/fillRepositoryItems?serverUrl=http://hacker:9000&credentialsId=ID_Admin&repoOwner=admin");
+
+        assertThat(htmlPage.getWebResponse().getStatusCode(), is(HttpURLConnection.HTTP_BAD_METHOD));
+        assertThat(htmlPage.getWebResponse().getContentAsString(), containsString("This URL requires POST"));
+    }
+}