From c2e5ad99da6de4b9152ae0691f112145358a5666 Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Thu, 17 Feb 2022 13:35:25 +1000 Subject: [PATCH] [SECURITY-2290] check permission as well Signed-off-by: Olivier Lamy --- .../descriptor/BapSshCredentialsDescriptor.java | 1 + .../descriptor/BapSshHostConfigurationDescriptor.java | 4 ++++ .../descriptor/BapSshPublisherPluginDescriptor.java | 1 + 3 files changed, 6 insertions(+) diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java index 8acdd6ca..0f5830dd 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java @@ -72,6 +72,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username, @QueryParameter final String encryptedPassphrase, @QueryParameter final String key, @QueryParameter final String keyPath) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); final BapSshCredentials credentials = new BapSshCredentials(username, encryptedPassphrase, key, keyPath); final BPBuildInfo buildInfo = BapSshPublisherPluginDescriptor.createDummyBuildInfo(); buildInfo.put(BPBuildInfo.OVERRIDE_CREDENTIALS_CONTEXT_KEY, credentials); diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java index 4a937b08..abca20fe 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java @@ -81,12 +81,16 @@ public FormValidation doCheckTimeout(@QueryParameter final String value) { return FormValidation.validateNonNegativeInteger(value); } + @RequirePOST public FormValidation doCheckKeyPath(@QueryParameter final String value) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER)); return BPValidators.validateFileOnMaster(value); } @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + final BapSshPublisherPlugin.Descriptor pluginDescriptor; Jenkins j = Jenkins.getInstanceOrNull(); if(j != null) { diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java index 0581a809..bced56e1 100644 --- a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java +++ b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java @@ -193,6 +193,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER);); final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common.")); return validateConnection(hostConfig, createDummyBuildInfo());