Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25032

Credentials metadata leak in GraniteCredentialsListBoxModel

      GraniteCredentialsListBoxModel.fillItems should probably start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

      This is assuming that there is a context passed in from callers, typically as @AncestorInPath.

          [JENKINS-25032] Credentials metadata leak in GraniteCredentialsListBoxModel

          Code changed in jenkins
          User: Mark Adamcin
          Path:
          src/main/java/org/jenkinsci/plugins/graniteclient/BuildPackageBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/DeployPackagesBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/DownloadPackagesBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/GraniteAHCFactory.java
          src/main/java/org/jenkinsci/plugins/graniteclient/GraniteCredentialsListBoxModel.java
          src/main/java/org/jenkinsci/plugins/graniteclient/PackageChoiceParameterDefinition.java
          src/main/java/org/jenkinsci/plugins/graniteclient/ReplicatePackagesBuilder.java
          http://jenkins-ci.org/commit/crx-content-package-deployer-plugin/9210b8b5e8bc11cc2e5cd6e8fd7f9a4e8b16ec0b
          Log:
          (JENKINS-25032) Close Credentials metadata leak in GraniteCredentialsListBoxModel

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Adamcin Path: src/main/java/org/jenkinsci/plugins/graniteclient/BuildPackageBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/DeployPackagesBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/DownloadPackagesBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/GraniteAHCFactory.java src/main/java/org/jenkinsci/plugins/graniteclient/GraniteCredentialsListBoxModel.java src/main/java/org/jenkinsci/plugins/graniteclient/PackageChoiceParameterDefinition.java src/main/java/org/jenkinsci/plugins/graniteclient/ReplicatePackagesBuilder.java http://jenkins-ci.org/commit/crx-content-package-deployer-plugin/9210b8b5e8bc11cc2e5cd6e8fd7f9a4e8b16ec0b Log: ( JENKINS-25032 ) Close Credentials metadata leak in GraniteCredentialsListBoxModel

          Code changed in jenkins
          User: Mark Adamcin
          Path:
          src/main/java/org/jenkinsci/plugins/graniteclient/BuildPackageBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/DeployPackagesBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/DownloadPackagesBuilder.java
          src/main/java/org/jenkinsci/plugins/graniteclient/GraniteAHCFactory.java
          src/main/java/org/jenkinsci/plugins/graniteclient/GraniteCredentialsListBoxModel.java
          src/main/java/org/jenkinsci/plugins/graniteclient/PackageChoiceParameterDefinition.java
          src/main/java/org/jenkinsci/plugins/graniteclient/ReplicatePackagesBuilder.java
          http://jenkins-ci.org/commit/crx-content-package-deployer-plugin/5089ad5f9803c55a6e0f46eaebb0bbd79f802228
          Log:
          Merge pull request #1 from jenkinsci/bugfix/JENKINS-25032

          (JENKINS-25032) Close Credentials metadata leak in GraniteCredentialsListBoxModel

          Compare: https://github.com/jenkinsci/crx-content-package-deployer-plugin/compare/bb9b876b7ced...5089ad5f9803

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Adamcin Path: src/main/java/org/jenkinsci/plugins/graniteclient/BuildPackageBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/DeployPackagesBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/DownloadPackagesBuilder.java src/main/java/org/jenkinsci/plugins/graniteclient/GraniteAHCFactory.java src/main/java/org/jenkinsci/plugins/graniteclient/GraniteCredentialsListBoxModel.java src/main/java/org/jenkinsci/plugins/graniteclient/PackageChoiceParameterDefinition.java src/main/java/org/jenkinsci/plugins/graniteclient/ReplicatePackagesBuilder.java http://jenkins-ci.org/commit/crx-content-package-deployer-plugin/5089ad5f9803c55a6e0f46eaebb0bbd79f802228 Log: Merge pull request #1 from jenkinsci/bugfix/ JENKINS-25032 ( JENKINS-25032 ) Close Credentials metadata leak in GraniteCredentialsListBoxModel Compare: https://github.com/jenkinsci/crx-content-package-deployer-plugin/compare/bb9b876b7ced...5089ad5f9803

            Unassigned Unassigned
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: