[SECURITY-1101]

jenkinsci · Sep 12, 2018 · 091ee0d · 091ee0d
1 parent de016a5
commit 091ee0d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/src/main/java/hudson/tasks/junit/JUnitResultArchiver.java b/src/main/java/hudson/tasks/junit/JUnitResultArchiver.java
@@ -32,6 +32,7 @@
 import hudson.model.AbstractProject;
 import hudson.model.BuildListener;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.model.Result;
 import hudson.model.Run;
 import hudson.model.Saveable;
@@ -310,7 +311,7 @@ public String getDisplayName() {
         public FormValidation doCheckTestResults(
                 @AncestorInPath AbstractProject project,
                 @QueryParameter String value) throws IOException {
-            if (project == null) {
+            if (project == null || !project.hasPermission(Item.WORKSPACE)) {
                 return FormValidation.ok();
             }
             return FilePath.validateFileMask(project.getSomeWorkspace(), value);

diff --git a/src/main/java/hudson/tasks/test/AggregatedTestResultPublisher.java b/src/main/java/hudson/tasks/test/AggregatedTestResultPublisher.java
@@ -377,6 +377,7 @@ public AggregatedTestResultPublisher newInstance(StaplerRequest req, JSONObject
         }
 
         public AutoCompletionCandidates doAutoCompleteJobs(@QueryParameter String value, @AncestorInPath Item self, @AncestorInPath ItemGroup container) {
+            // Item.READ checked inside
             return AutoCompletionCandidates.ofJobNames(Job.class,value,self,container);
         }
     }

diff --git a/src/main/java/hudson/tasks/test/TestObject.java b/src/main/java/hudson/tasks/test/TestObject.java
@@ -40,6 +40,7 @@
 import org.kohsuke.stapler.export.ExportedBean;
 
 import com.google.common.collect.MapMaker;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -450,13 +451,14 @@ public Object getDynamic(String token, StaplerRequest req,
         return null;
     }
 
+    @RequirePOST
     public synchronized HttpResponse doSubmitDescription(
             @QueryParameter String description) throws IOException,
             ServletException {
+        getRun().checkPermission(Run.UPDATE);
         if (getRun() == null) {
             LOGGER.severe("getRun() is null, can't save description.");
         } else {
-            getRun().checkPermission(Run.UPDATE);
             setDescription(description);
             getRun().save();
         }