Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62036

Issue parsers display incorrect data when message or description contains HTML

      All issue parsers in analysis-model extend IssueParser which need to parse a stream into a Report made up of Issue instances (among other thing). These Issue instances are usually created by extracting text from the console log or other log files. I haven't looked through all 100+ times it is used, but in the vast majority of cases, IssueBuilder.setMessage() is invoked with regex match groups, and those contents are treated as raw HTML (using the Unescaped class). Based on the various issue parsers I've used and looked at, they don't seem to expect HTML, though they can make use of it.

      Thanks to the use of the OWASP Markup Formatter, nothing malicious can be injected, but any supported HTML and special characters will be interpreted as such when parsed from the console log.

          [JENKINS-62036] Issue parsers display incorrect data when message or description contains HTML

          Ulli Hafner added a comment -

          Do you have an example that is printed incorrectly? I labeled this issue as a newbie-friedly hackfest issue, so an example would be helpful.

          Ulli Hafner added a comment - Do you have an example that is printed incorrectly? I labeled this issue as a newbie-friedly hackfest issue, so an example would be helpful.

          Matt Sicker added a comment -

          The way I reproduced this issue was to cat a modified log file in a build and then scanned it for issues. I changed some text that I knew would be scanned and parsed to add some HTML which was not escaped.

          Matt Sicker added a comment - The way I reproduced this issue was to cat a modified log file in a build and then scanned it for issues. I changed some text that I knew would be scanned and parsed to add some HTML which was not escaped.

            Unassigned Unassigned
            jvz Matt Sicker
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: