Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29919

Pull Requests with double quotes cause build failures


      Pull requests with double quotes in the title of the PR are not properly escaped when used in invoking shell commands. The description is sent as part of the commands to the shell which causes the command to fail. This may be a possible command injection vulnerability for projects that are using this plugin and allow public pull requests.

      A chunk of the relevant log file:

      [workspace] $ hg --config ******** log --template "<changeset node='{node}' author='{author|xmlescape}' rev='{rev}' date='{date}'><msg>{desc|xmlescape}</msg><added>{file_adds|stringify|xmlescape}</added><deleted>{file_dels|stringify|xmlescape}</deleted><files>{files|stringify|xmlescape}</files><parents>{parents}</parents></changeset>\n" --rev BAL-3134:0 --follow --prune ae1822f7c61eab5bb14ef7cfb725d134ac4c893f --encoding UTF-8 --encodingmode replace
      [workspace] $ /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant -DsourceBranch=BAL-3134 -DdestinationRepositoryName=*** -DpullRequestId=1369 -DdestinationRepositoryOwner=*** -DrepositoryName=i3ballot_web '-DpullRequestTitle=BAL-3134 API: Error - MessageEngine Message queuer was not provided with an account id."' -DtargetBranch=default -DrepositoryOwner=*** build
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 336: unexpected EOF while looking for matching `"'
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 337: syntax error: unexpected end of file
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: line 337: warning: syntax errors in . or eval will cause future versions of the shell to abort as Posix requires
      Build step 'Invoke Ant' marked build as failure

            Unassigned Unassigned
            dstockto David Stockton
            3 Vote for this issue
            5 Start watching this issue