[SECURITY-3535]

balakine · ajoshi-CB · commit 32aeb0493c4f · 2025-09-02T14:04:16.000+05:30
diff --git a/src/main/java/hudson/plugins/global_build_stats/GlobalBuildStatsPlugin.java b/src/main/java/hudson/plugins/global_build_stats/GlobalBuildStatsPlugin.java
@@ -26,6 +26,7 @@
 
 import jakarta.servlet.ServletException;
 
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 
 import org.jfree.chart.JFreeChart;
@@ -123,16 +124,32 @@ public GlobalBuildStatsApi(Object bean) {
     	public void doJson(StaplerRequest2 req, StaplerResponse2 rsp)
     			throws IOException, ServletException {
     		if(!exposeChartData(req, rsp, Flavor.JSON)){
+				Jenkins.get().checkPermission(getRequiredPermission());
     			super.doJson(req, rsp);
     		}
     	}
     	@Override
     	public void doPython(StaplerRequest2 req, StaplerResponse2 rsp)
     			throws IOException, ServletException {
     		if(!exposeChartData(req, rsp, Flavor.PYTHON)){
+				Jenkins.get().checkPermission(getRequiredPermission());
         		super.doPython(req, rsp);
     		}
     	}
+		@Override
+		public void doXml(
+				StaplerRequest2 req,
+				StaplerResponse2 rsp,
+				@QueryParameter String xpath,
+				@QueryParameter String wrapper,
+				@QueryParameter String tree,
+				@QueryParameter int depth
+		) throws IOException, ServletException {
+			if (!exposeChartData(req, rsp, Flavor.XML)) {
+				Jenkins.get().checkPermission(getRequiredPermission());
+				super.doXml(req, rsp, xpath, wrapper, tree, depth);
+			}
+		}
     	
     	private static boolean exposeChartData(StaplerRequest2 req, StaplerResponse2 rsp, Flavor flavor) throws ServletException, IOException{
     		boolean chartDataHasBeenExposed = false;
@@ -456,7 +473,7 @@ public List<BuildStatConfiguration> getBuildStatConfigs() {
 		return buildStatConfigs;
 	}
 	
-	public Permission getRequiredPermission(){
+	public static Permission getRequiredPermission(){
 		return Hudson.ADMINISTER;
 	}
 	
