[SECURITY-1101]

olivergondza · daniel-beck · commit 091ee0dc8dd6 · 2018-09-12T20:33:03.000+02:00
diff --git a/src/main/java/hudson/tasks/junit/JUnitResultArchiver.java b/src/main/java/hudson/tasks/junit/JUnitResultArchiver.java
@@ -32,6 +32,7 @@
 import hudson.model.AbstractProject;
 import hudson.model.BuildListener;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.model.Result;
 import hudson.model.Run;
 import hudson.model.Saveable;
@@ -310,7 +311,7 @@ public String getDisplayName() {
         public FormValidation doCheckTestResults(
                 @AncestorInPath AbstractProject project,
                 @QueryParameter String value) throws IOException {
-            if (project == null) {
+            if (project == null || !project.hasPermission(Item.WORKSPACE)) {
                 return FormValidation.ok();
             }
             return FilePath.validateFileMask(project.getSomeWorkspace(), value);
diff --git a/src/main/java/hudson/tasks/test/AggregatedTestResultPublisher.java b/src/main/java/hudson/tasks/test/AggregatedTestResultPublisher.java
@@ -377,6 +377,7 @@ public AggregatedTestResultPublisher newInstance(StaplerRequest req, JSONObject
         }
 
         public AutoCompletionCandidates doAutoCompleteJobs(@QueryParameter String value, @AncestorInPath Item self, @AncestorInPath ItemGroup container) {
+            // Item.READ checked inside
             return AutoCompletionCandidates.ofJobNames(Job.class,value,self,container);
         }
     }
diff --git a/src/main/java/hudson/tasks/test/TestObject.java b/src/main/java/hudson/tasks/test/TestObject.java
@@ -40,6 +40,7 @@
 import org.kohsuke.stapler.export.ExportedBean;
 
 import com.google.common.collect.MapMaker;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -450,13 +451,14 @@ public Object getDynamic(String token, StaplerRequest req,
         return null;
     }
 
+    @RequirePOST
     public synchronized HttpResponse doSubmitDescription(
             @QueryParameter String description) throws IOException,
             ServletException {
+        getRun().checkPermission(Run.UPDATE);
         if (getRun() == null) {
             LOGGER.severe("getRun() is null, can't save description.");
         } else {
-            getRun().checkPermission(Run.UPDATE);
             setDescription(description);
             getRun().save();
         }

Original file line number	Diff line number	Diff line change
`@@ -377,6 +377,7 @@ public AggregatedTestResultPublisher newInstance(StaplerRequest req, JSONObject`
`377`	`377`	`}`
`378`	`378`
`379`	`379`	`public AutoCompletionCandidates doAutoCompleteJobs(@QueryParameter String value, @AncestorInPath Item self, @AncestorInPath ItemGroup container) {`
	`380`	`+ // Item.READ checked inside`
`380`	`381`	`return AutoCompletionCandidates.ofJobNames(Job.class,value,self,container);`
`381`	`382`	`}`
`382`	`383`	`}`