[SECURITY-2342]

Wadeck · Wadeck · commit 2dd5eda721e5 · 2021-12-20T17:33:57.000+01:00
diff --git a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/ZipFileBinding.java b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/ZipFileBinding.java
@@ -36,13 +36,15 @@
 import java.io.InputStream;
 import java.util.Collections;
 
+import jenkins.model.Jenkins;
 import org.apache.commons.io.IOUtils;
 import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
 import org.jenkinsci.plugins.plaincredentials.FileCredentials;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.StaplerRequest;
 
 public class ZipFileBinding extends AbstractOnDiskBinding<FileCredentials> {
 
@@ -72,7 +74,22 @@ public class ZipFileBinding extends AbstractOnDiskBinding<FileCredentials> {
             return Messages.ZipFileBinding_secret_zip_file();
         }
 
-        public FormValidation doCheckCredentialsId(@AncestorInPath Item owner, @QueryParameter String value) {
+        // @RequirePOST
+        public FormValidation doCheckCredentialsId(StaplerRequest req, @AncestorInPath Item owner, @QueryParameter String value) {
+            //TODO due to weird behavior in c:select, there are initial calls using GET
+            // so using this approach will prevent 405 errors
+            if (!req.getMethod().equals("POST")) {
+                return FormValidation.ok();
+            }
+            if (owner == null) {
+                if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                    return FormValidation.ok();
+                }
+            } else {
+                if (!owner.hasPermission(Item.EXTENDED_READ) && !owner.hasPermission(CredentialsProvider.USE_ITEM)) {
+                    return FormValidation.ok();
+                }
+            }
             for (FileCredentials c : CredentialsProvider.lookupCredentials(FileCredentials.class, owner, null, Collections.<DomainRequirement>emptyList())) {
                 if (c.getId().equals(value)) {
                     InputStream is = null;
diff --git a/src/main/resources/org/jenkinsci/plugins/credentialsbinding/MultiBinding/config.jelly b/src/main/resources/org/jenkinsci/plugins/credentialsbinding/MultiBinding/config.jelly
@@ -26,7 +26,7 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:c="/lib/credentials">
     <st:include page="config-variables.jelly" class="${descriptor.clazz}"/>
     <f:entry title="${%Credentials}" field="credentialsId">
-        <c:select expressionAllowed="${expressionAllowed}"/>
+        <c:select expressionAllowed="${expressionAllowed}" checkMethod="post"/>
     </f:entry>
     <st:include page="config-details.jelly" class="${descriptor.clazz}" optional="true"/>
 </j:jelly>
