-
Bug
-
Resolution: Unresolved
-
Blocker
GraniteCredentialsListBoxModel.fillItems should probably start with
if (context == null || !context.hasPermission(Item.CONFIGURE)) { return new ListBoxModel(); }
lest it expose credentials IDs and descriptions to anonymous users.
This is assuming that there is a context passed in from callers, typically as @AncestorInPath.
Code changed in jenkins
User: Mark Adamcin
Path:
src/main/java/org/jenkinsci/plugins/graniteclient/BuildPackageBuilder.java
src/main/java/org/jenkinsci/plugins/graniteclient/DeployPackagesBuilder.java
src/main/java/org/jenkinsci/plugins/graniteclient/DownloadPackagesBuilder.java
src/main/java/org/jenkinsci/plugins/graniteclient/GraniteAHCFactory.java
src/main/java/org/jenkinsci/plugins/graniteclient/GraniteCredentialsListBoxModel.java
src/main/java/org/jenkinsci/plugins/graniteclient/PackageChoiceParameterDefinition.java
src/main/java/org/jenkinsci/plugins/graniteclient/ReplicatePackagesBuilder.java
http://jenkins-ci.org/commit/crx-content-package-deployer-plugin/9210b8b5e8bc11cc2e5cd6e8fd7f9a4e8b16ec0b
Log:
(JENKINS-25032) Close Credentials metadata leak in GraniteCredentialsListBoxModel