-
Bug
-
Resolution: Unresolved
-
Major
Pull requests with double quotes in the title of the PR are not properly escaped when used in invoking shell commands. The description is sent as part of the commands to the shell which causes the command to fail. This may be a possible command injection vulnerability for projects that are using this plugin and allow public pull requests.
A chunk of the relevant log file:
[workspace] $ hg --config ******** log --template "<changeset node='{node}' author='{author|xmlescape}' rev='{rev}' date='{date}'><msg>{desc|xmlescape}</msg><added>{file_adds|stringify|xmlescape}</added><deleted>{file_dels|stringify|xmlescape}</deleted><files>{files|stringify|xmlescape}</files><parents>{parents}</parents></changeset>\n" --rev BAL-3134:0 --follow --prune ae1822f7c61eab5bb14ef7cfb725d134ac4c893f --encoding UTF-8 --encodingmode replace [workspace] $ /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant -DsourceBranch=BAL-3134 -DdestinationRepositoryName=*** -DpullRequestId=1369 -DdestinationRepositoryOwner=*** -DrepositoryName=i3ballot_web '-DpullRequestTitle=BAL-3134 API: Error - MessageEngine Message queuer was not provided with an account id."' -DtargetBranch=default -DrepositoryOwner=*** build /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 336: unexpected EOF while looking for matching `"' /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 337: syntax error: unexpected end of file /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: line 337: warning: syntax errors in . or eval will cause future versions of the shell to abort as Posix requires Build step 'Invoke Ant' marked build as failure