Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33037

hudson.model.Fingerprint.RangeSet.fromString(...) accepts malformed ranges

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      hudson.model.Fingerprint.RangeSet.fromString(...) accepts a malformed form of string which doesn't represent any range like:

      • "1--5" or "1------5"
      • "1,,5" or "1,,,,,,,5"
      • "1-5-"
      • ",-,"
      • "1-"
      • ",1,2"
      • "5-1" etc.

      Proposed fix:
      We should be very rigid and careful of input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand class where user input string is passed directly without any validation.

        Attachments

          Activity

          pajasoft Pavel Janoušek created issue -
          pajasoft Pavel Janoušek made changes -
          Field Original Value New Value
          Description hudson.model.Fingerprint.RangeSet.fromString(...) accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a string range specification like _"1\-\-3"_, _"1,,15"_ etc. Hyphen and comma can be repeated more times (like _"1\-\-\-\-\-\-10"_, _"1,,,,,,,10"_).

          Proposed fix:
          We should reject any either _"\-\-"_ or _",,"_ from the input.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          pajasoft Pavel Janoušek made changes -
          Description {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful in input validation because this function is directly utilized from e.g. AbstractBuildRangeCommand where user input string is passed directly without any validation.
          {{hudson.model.Fingerprint.RangeSet.fromString(...)}} accepts a malformed form of string which doesn't represent any range like:
          * "1\-\-5" or "1\-\-\-\-\-\-5"
          * "1,,5" or "1,,,,,,,5"
          * "1\-5\-"
          * ",\-,"
          * "1-"
          * ",1,2"
          * "5-1" etc.

          Proposed fix:
          We should be very rigid and careful of input validation because this function is directly utilized from e.g. {{AbstractBuildRangeCommand}} class where user input string is passed directly without any validation.
          scm_issue_link SCM/JIRA link daemon made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 168866 ] JNJira + In-Review [ 198485 ]

            People

            Assignee:
            pajasoft Pavel Janoušek
            Reporter:
            pajasoft Pavel Janoušek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: