[JENKINS-29919] Pull Requests with double quotes cause build failures

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: bitbucket-pullrequest-builder-plugin, ghprb-plugin
Labels:
- plugin
- security

Similar Issues:
Powered by SuggestiMate

Show

Pull requests with double quotes in the title of the PR are not properly escaped when used in invoking shell commands. The description is sent as part of the commands to the shell which causes the command to fail. This may be a possible command injection vulnerability for projects that are using this plugin and allow public pull requests.

A chunk of the relevant log file:

[workspace] $ hg --config ******** log --template "<changeset node='{node}' author='{author|xmlescape}' rev='{rev}' date='{date}'><msg>{desc|xmlescape}</msg><added>{file_adds|stringify|xmlescape}</added><deleted>{file_dels|stringify|xmlescape}</deleted><files>{files|stringify|xmlescape}</files><parents>{parents}</parents></changeset>\n" --rev BAL-3134:0 --follow --prune ae1822f7c61eab5bb14ef7cfb725d134ac4c893f --encoding UTF-8 --encodingmode replace
[workspace] $ /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant -DsourceBranch=BAL-3134 -DdestinationRepositoryName=*** -DpullRequestId=1369 -DdestinationRepositoryOwner=*** -DrepositoryName=i3ballot_web '-DpullRequestTitle=BAL-3134 API: Error - MessageEngine Message queuer was not provided with an account id."' -DtargetBranch=default -DrepositoryOwner=*** build
/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 336: unexpected EOF while looking for matching `"'
/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 337: syntax error: unexpected end of file
/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: line 337: warning: syntax errors in . or eval will cause future versions of the shell to abort as Posix requires
Build step 'Invoke Ant' marked build as failure

Edward Hartwell Goose added a comment - 2015-10-12 08:19

I confirm I am having the same problem, with the GitHub Pull Request Builder. Note the double quotes in the ghprbPullLongDescription ("15 => 0015")

[workspace] $ ant -DghprbCommentBody=null -DghprbTriggerAuthorEmail= -DghprbTargetBranch=development -DghprbSourceBranch=fix-coupon-date-validation -DghprbCredentialsId=dbc6f525-77c4-4112-8fa6-b1457ee5e493 "-DghprbActualCommitAuthor=Author Name" -Dsha1=origin/pr/634/merge '-DghprbPullLongDescription=Unit test plus various fixes for Start and Expiry Date validation on coupons.
\nThis is designed to prevent the "15 => 0015" year issue which someone keeps causing, plus tighten up the validation for other issues too.
\n
\n' -DghprbPullLink=https://github.com/company/Repo/pull/634 -DghprbActualCommit=0c070362ac697b55ae72bf71b7dba290e96ddad2 -DghprbTriggerAuthorLoginMention= -DghprbAuthorRepoGitUrl=https://github.com/company/Repo.git -DghprbPullAuthorEmail= -DGIT_BRANCH=fix-coupon-date-validation -DghprbPullAuthorLogin=author -DghprbGhRepository=repo/Repo -DghprbActualCommitAuthorEmail=tim@company.com -DghprbTriggerAuthor= -DghprbTriggerAuthorLogin= -DghprbPullId=634 "-DghprbPullTitle=Fixes #796. Fix date validation" -DghprbPullAuthorLoginMention=@author "-DghprbPullDescription=GitHub pull request #634 of commit 0c070362ac697b55ae72bf71b7dba290e96ddad2, no merge conflicts." build.fast

BUILD FAILED
Target "=" does not exist in the project "ProjectName". 

Total time: 0 seconds
Build step 'Invoke Ant' marked build as failure

Edward Hartwell Goose added a comment - 2015-10-12 08:19 I confirm I am having the same problem, with the GitHub Pull Request Builder. Note the double quotes in the ghprbPullLongDescription ("15 => 0015") [workspace] $ ant -DghprbCommentBody=null -DghprbTriggerAuthorEmail= -DghprbTargetBranch=development -DghprbSourceBranch=fix-coupon-date-validation -DghprbCredentialsId=dbc6f525-77c4-4112-8fa6-b1457ee5e493 "-DghprbActualCommitAuthor=Author Name" -Dsha1=origin/pr/634/merge '-DghprbPullLongDescription=Unit test plus various fixes for Start and Expiry Date validation on coupons. \nThis is designed to prevent the "15 => 0015" year issue which someone keeps causing, plus tighten up the validation for other issues too. \n \n' -DghprbPullLink=https://github.com/company/Repo/pull/634 -DghprbActualCommit=0c070362ac697b55ae72bf71b7dba290e96ddad2 -DghprbTriggerAuthorLoginMention= -DghprbAuthorRepoGitUrl=https://github.com/company/Repo.git -DghprbPullAuthorEmail= -DGIT_BRANCH=fix-coupon-date-validation -DghprbPullAuthorLogin=author -DghprbGhRepository=repo/Repo -DghprbActualCommitAuthorEmail=tim@company.com -DghprbTriggerAuthor= -DghprbTriggerAuthorLogin= -DghprbPullId=634 "-DghprbPullTitle=Fixes #796. Fix date validation" -DghprbPullAuthorLoginMention=@author "-DghprbPullDescription=GitHub pull request #634 of commit 0c070362ac697b55ae72bf71b7dba290e96ddad2, no merge conflicts." build.fast BUILD FAILED Target "=" does not exist in the project "ProjectName". Total time: 0 seconds Build step 'Invoke Ant' marked build as failure

AJ Michels added a comment - 2016-10-20 21:03

We have encountered this issue also.

AJ Michels added a comment - 2016-10-20 21:03 We have encountered this issue also.

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Edward Hartwell Goose added a comment - 2015-10-12 08:19

Expand comment: Edward Hartwell Goose added a comment - 2015-10-12 08:19

Collapse comment: AJ Michels added a comment - 2016-10-20 21:03

Expand comment: AJ Michels added a comment - 2016-10-20 21:03

People

Dates