Security fixes (#180)

Major security fixes

src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/restrictions/job/RegexNameRestriction.java

@@ -33,8 +33,10 @@
 import hudson.util.FormValidation;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Restricts the jobs execution by applying regular expressions to their names.
@@ -86,7 +88,9 @@ public String getDisplayName() {
             return Messages.restrictions_Job_RegexName();
         }
 
+        @RequirePOST
         public FormValidation doCheckRegexExpression(@QueryParameter String regexExpression) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 Pattern.compile(regexExpression);
             } catch (PatternSyntaxException exception) {

src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/GroupSelector.java

@@ -41,6 +41,7 @@
 import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.springframework.dao.DataAccessException;
 
 /**
@@ -96,7 +97,9 @@ public String getDisplayName() {
             return "N/A";
         }
 
+        @RequirePOST
         public FormValidation doCheckSelectedGroupId(@QueryParameter String selectedGroupId) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             selectedGroupId = Util.fixEmptyAndTrim(selectedGroupId);
             SecurityRealm sr = Jenkins.get().getSecurityRealm();
             String eSelectedGroupId = Functions.escape(selectedGroupId);

src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/UserSelector.java

@@ -32,10 +32,12 @@
 import hudson.util.FormValidation;
 import java.io.Serializable;
 import java.util.Objects;
+import jenkins.model.Jenkins;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Describable Item, which allows to configure a user.
@@ -91,7 +93,9 @@ public String getDisplayName() {
         }
 
         @Restricted(NoExternalUse.class) // Stapler only
+        @RequirePOST
         public FormValidation doCheckSelectedUserId(@QueryParameter String selectedUserId) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             selectedUserId = Util.fixEmptyAndTrim(selectedUserId);
             if (selectedUserId == null) {
                 return FormValidation.error("Field is empty");

src/main/java/io/jenkins/plugins/jobrestrictions/util/ClassSelector.java

@@ -35,6 +35,7 @@
 import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Describable Item, which allows to select class.
@@ -89,7 +90,9 @@ public String getDisplayName() {
             return "N/A";
         }
 
+        @RequirePOST
         public FormValidation doCheckSelectedClass(final @QueryParameter String selectedClass) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             String _selectedClass = Util.fixEmptyAndTrim(selectedClass);
             if (_selectedClass == null) {
                 return FormValidation.error("Field is empty");