Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33037

hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      hudson.model.Fingerprint.RangeSet.fromString(...) accepts a malformed form of string which doesn't represent any range like:

      • "1--5" or "1------5"
      • "1,,5" or "1,,,,,,,5"
      • "1-5-"
      • ",-,"
      • "1-"
      • ",1,2"
      • "5-1" etc.

      Proposed fix:
      We should be very rigid and careful of input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand class where user input string is passed directly without any validation.

          [JENKINS-33037] hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

          Pavel Janoušek created issue -
          Pavel Janoušek made changes -
          Description Original: hudson.model.Fingerprint.RangeSet.fromString(...) accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          Pavel Janoušek made changes -
          Description Original: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          New: {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful of input validation because this function is directly utilized from e.g. {{AbstractBuildRangeCommand}} class where user input string is passed directly without any validation.
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 168866 ] New: JNJira + In-Review [ 198485 ]

            pajasoft Pavel Janoušek
            pajasoft Pavel Janoušek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: