Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33037

hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      hudson.model.Fingerprint.RangeSet.fromString(...) accepts a malformed form of string which doesn't represent any range like:

      • "1--5" or "1------5"
      • "1,,5" or "1,,,,,,,5"
      • "1-5-"
      • ",-,"
      • "1-"
      • ",1,2"
      • "5-1" etc.

      Proposed fix:
      We should be very rigid and careful of input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand class where user input string is passed directly without any validation.

          [JENKINS-33037] hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

          Pavel Janoušek created issue -
          Pavel Janoušek made changes -
          Description Original: hudson.model.Fingerprint.RangeSet.fromString(...) accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.

          PR sent.

          Pavel Janoušek added a comment - PR sent.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful of input validation because this function is directly utilized from e.g. {{AbstractBuildRangeCommand}} class where user input string is passed directly without any validation.

          Code changed in jenkins
          User: Ing. Pavel Janousek
          Path:
          core/src/main/java/hudson/model/Fingerprint.java
          core/src/test/java/hudson/model/FingerprintTest.java
          http://jenkins-ci.org/commit/jenkins/c1621a2bd09533f874c4aff9d193c334ee97078d
          Log:
          JENKINS-33037 Fixed malformed ranges in RangeSet.fromString()

          Fix for rejecting malformed ranges in
          hudson.model.Fingerprint.RangeSet.fromString(...)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ing. Pavel Janousek Path: core/src/main/java/hudson/model/Fingerprint.java core/src/test/java/hudson/model/FingerprintTest.java http://jenkins-ci.org/commit/jenkins/c1621a2bd09533f874c4aff9d193c334ee97078d Log: JENKINS-33037 Fixed malformed ranges in RangeSet.fromString() Fix for rejecting malformed ranges in hudson.model.Fingerprint.RangeSet.fromString(...)

          Code changed in jenkins
          User: Oliver Gondža
          Path:
          core/src/main/java/hudson/model/Fingerprint.java
          core/src/test/java/hudson/model/FingerprintTest.java
          http://jenkins-ci.org/commit/jenkins/8ba59197e4d44444631c9cf2570749d49f25a724
          Log:
          Merge pull request #2049 from pjanouse/JENKINS-33037

          [FIXED JENKINS-33037] Fixed malformed ranges in RangeSet.fromString()

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oliver Gondža Path: core/src/main/java/hudson/model/Fingerprint.java core/src/test/java/hudson/model/FingerprintTest.java http://jenkins-ci.org/commit/jenkins/8ba59197e4d44444631c9cf2570749d49f25a724 Log: Merge pull request #2049 from pjanouse/ JENKINS-33037 [FIXED JENKINS-33037] Fixed malformed ranges in RangeSet.fromString()
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

            pajasoft Pavel Janoušek
            pajasoft Pavel Janoušek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: