Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29919

Pull Requests with double quotes cause build failures

    XMLWordPrintable

Details

    Description

      Pull requests with double quotes in the title of the PR are not properly escaped when used in invoking shell commands. The description is sent as part of the commands to the shell which causes the command to fail. This may be a possible command injection vulnerability for projects that are using this plugin and allow public pull requests.

      A chunk of the relevant log file:

      [workspace] $ hg --config ******** log --template "<changeset node='{node}' author='{author|xmlescape}' rev='{rev}' date='{date}'><msg>{desc|xmlescape}</msg><added>{file_adds|stringify|xmlescape}</added><deleted>{file_dels|stringify|xmlescape}</deleted><files>{files|stringify|xmlescape}</files><parents>{parents}</parents></changeset>\n" --rev BAL-3134:0 --follow --prune ae1822f7c61eab5bb14ef7cfb725d134ac4c893f --encoding UTF-8 --encodingmode replace
      [workspace] $ /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant -DsourceBranch=BAL-3134 -DdestinationRepositoryName=*** -DpullRequestId=1369 -DdestinationRepositoryOwner=*** -DrepositoryName=i3ballot_web '-DpullRequestTitle=BAL-3134 API: Error - MessageEngine Message queuer was not provided with an account id."' -DtargetBranch=default -DrepositoryOwner=*** build
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 336: unexpected EOF while looking for matching `"'
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 337: syntax error: unexpected end of file
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: line 337: warning: syntax errors in . or eval will cause future versions of the shell to abort as Posix requires
      Build step 'Invoke Ant' marked build as failure
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            dstockto David Stockton
            Votes:
            3 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: