Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33037

hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      hudson.model.Fingerprint.RangeSet.fromString(...) accepts a malformed form of string which doesn't represent any range like:

      • "1--5" or "1------5"
      • "1,,5" or "1,,,,,,,5"
      • "1-5-"
      • ",-,"
      • "1-"
      • ",1,2"
      • "5-1" etc.

      Proposed fix:
      We should be very rigid and careful of input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand class where user input string is passed directly without any validation.

        Attachments

          Activity

          pajasoft Pavel Janoušek created issue -
          pajasoft Pavel Janoušek made changes -
          Field Original Value New Value
          Description hudson.model.Fingerprint.RangeSet.fromString(...) accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          Hide
          pajasoft Pavel Janoušek added a comment -

          PR sent.

          Show
          pajasoft Pavel Janoušek added a comment - PR sent.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful of input validation because this function is directly utilized from e.g. {{AbstractBuildRangeCommand}} class where user input string is passed directly without any validation.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Ing. Pavel Janousek
          Path:
          core/src/main/java/hudson/model/Fingerprint.java
          core/src/test/java/hudson/model/FingerprintTest.java
          http://jenkins-ci.org/commit/jenkins/c1621a2bd09533f874c4aff9d193c334ee97078d
          Log:
          JENKINS-33037 Fixed malformed ranges in RangeSet.fromString()

          Fix for rejecting malformed ranges in
          hudson.model.Fingerprint.RangeSet.fromString(...)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ing. Pavel Janousek Path: core/src/main/java/hudson/model/Fingerprint.java core/src/test/java/hudson/model/FingerprintTest.java http://jenkins-ci.org/commit/jenkins/c1621a2bd09533f874c4aff9d193c334ee97078d Log: JENKINS-33037 Fixed malformed ranges in RangeSet.fromString() Fix for rejecting malformed ranges in hudson.model.Fingerprint.RangeSet.fromString(...)
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oliver Gondža
          Path:
          core/src/main/java/hudson/model/Fingerprint.java
          core/src/test/java/hudson/model/FingerprintTest.java
          http://jenkins-ci.org/commit/jenkins/8ba59197e4d44444631c9cf2570749d49f25a724
          Log:
          Merge pull request #2049 from pjanouse/JENKINS-33037

          [FIXED JENKINS-33037] Fixed malformed ranges in RangeSet.fromString()

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oliver Gondža Path: core/src/main/java/hudson/model/Fingerprint.java core/src/test/java/hudson/model/FingerprintTest.java http://jenkins-ci.org/commit/jenkins/8ba59197e4d44444631c9cf2570749d49f25a724 Log: Merge pull request #2049 from pjanouse/ JENKINS-33037 [FIXED JENKINS-33037] Fixed malformed ranges in RangeSet.fromString()
          scm_issue_link SCM/JIRA link daemon made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #4509
          JENKINS-33037 Fixed malformed ranges in RangeSet.fromString() (Revision c1621a2bd09533f874c4aff9d193c334ee97078d)

          Result = SUCCESS
          pjanouse : c1621a2bd09533f874c4aff9d193c334ee97078d
          Files :

          • core/src/main/java/hudson/model/Fingerprint.java
          • core/src/test/java/hudson/model/FingerprintTest.java
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4509 JENKINS-33037 Fixed malformed ranges in RangeSet.fromString() (Revision c1621a2bd09533f874c4aff9d193c334ee97078d) Result = SUCCESS pjanouse : c1621a2bd09533f874c4aff9d193c334ee97078d Files : core/src/main/java/hudson/model/Fingerprint.java core/src/test/java/hudson/model/FingerprintTest.java
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 168866 ] JNJira + In-Review [ 198485 ]

            People

            Assignee:
            pajasoft Pavel Janoušek
            Reporter:
            pajasoft Pavel Janoušek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: