Add permission checks

Target CVE-2019-10472 (permission check) and SECURITY-1014 (2) / CVE-2019-10473. Add the missing permission checks. Signed-off-by: Benedikt Spranger <b.spranger@linutronix.de> Reviewed-by: Bastian Germann <bage@linutronix.de>
jenkinsci · Jul 3, 2020 · c671d68 · c671d68
1 parent 7946539
commit c671d68
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/src/main/java/hudson/plugins/libvirt/Hypervisor.java b/src/main/java/hudson/plugins/libvirt/Hypervisor.java
@@ -497,6 +497,8 @@ public FormValidation doTestConnection(@QueryParameter String hypervisorType,
                                                @QueryParameter boolean useNativeJavaConnection,
                                                @QueryParameter String credentialsId)
                 throws Exception, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
             try {
                 if (hypervisorHost == null) {
                     return FormValidation.error("Hypervisor Host is not specified!");

diff --git a/src/main/java/hudson/plugins/libvirt/PluginImpl.java b/src/main/java/hudson/plugins/libvirt/PluginImpl.java
@@ -113,6 +113,7 @@ public boolean apply(@Nullable final Hypervisor input) {
 
     public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String secsValue)
             throws IOException, ServletException {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         try {
             int v = Integer.parseInt(secsValue);
             if (v < 0) {
@@ -130,6 +131,7 @@ public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String
 
     public FormValidation doCheckStartupTimesToRetryOnFailure(@QueryParameter String retriesValue)
             throws IOException, ServletException {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         try {
             int v = Integer.parseInt(retriesValue);
             if (v < 0) {