Merge pull request #58 from jenkinsci/SECURITY-2290-2

[SECURITY-2290] check permission as well
jenkinsci · Feb 21, 2022 · a49b27d · a49b27d · knowyi · Feb 23, 2022
2 parents 94dcabc + 1dc2f26
commit a49b27d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java b/src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java
@@ -72,6 +72,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) {
     public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username,
                                            @QueryParameter final String encryptedPassphrase, @QueryParameter final String key,
                                            @QueryParameter final String keyPath) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         final BapSshCredentials credentials = new BapSshCredentials(username, encryptedPassphrase, key, keyPath);
         final BPBuildInfo buildInfo = BapSshPublisherPluginDescriptor.createDummyBuildInfo();
         buildInfo.put(BPBuildInfo.OVERRIDE_CREDENTIALS_CONTEXT_KEY, credentials);

diff --git a/...n/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java b/...n/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java
@@ -81,12 +81,16 @@ public FormValidation doCheckTimeout(@QueryParameter final String value) {
         return FormValidation.validateNonNegativeInteger(value);
     }
 
+    @RequirePOST
     public FormValidation doCheckKeyPath(@QueryParameter final String value) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         return BPValidators.validateFileOnMaster(value);
     }
 
     @RequirePOST
     public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
         final BapSshPublisherPlugin.Descriptor pluginDescriptor;
         Jenkins j = Jenkins.getInstanceOrNull();
         if(j != null) {

diff --git a/...ain/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java b/...ain/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java
@@ -193,6 +193,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom
 
     @RequirePOST
     public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, "");
         hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common."));
         return validateConnection(hostConfig, createDummyBuildInfo());