SECURITY-2619: Added Missing permission checks.

jenkinsci · May 16, 2022 · a79f95c · a79f95c
1 parent 24b4996
commit a79f95c
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/src/main/java/com/compuware/jenkins/build/JclDescriptorImpl.java b/src/main/java/com/compuware/jenkins/build/JclDescriptorImpl.java
@@ -151,6 +151,12 @@ public FormValidation doCheckMaxConditionCode(@QueryParameter String maxConditio
 	 */
 	public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @QueryParameter String connectionId,
 			@AncestorInPath Item project) {
+		if (project == null) {
+				Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+		} else {
+			project.checkPermission(Item.CONFIGURE);
+		}
+
 		CpwrGlobalConfiguration globalConfig = CpwrGlobalConfiguration.get();
 		HostConnection[] hostConnections = globalConfig.getHostConnections();
 
@@ -184,6 +190,12 @@ public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @Qu
 	 */
 	public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Jenkins context, @QueryParameter String credentialsId,
 			@AncestorInPath Item project) {
+		if (project == null) {
+				Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+		} else {
+			project.checkPermission(Item.CONFIGURE);
+		}
+
 		List<StandardCredentials> creds = CredentialsProvider.lookupCredentials(StandardCredentials.class,
 				project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList());