Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64982

Special Character like the '+' character for single select param, will be escaped to HTML code

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Since Release 2.5 and implementation of SECURITY-2008 - CVE-2020-2290 we can't use the '+' character in our single select list.

      For example:

      We have a "Active Choises Parameter" with Choice Type "Single Select" to choose a version. Our versions have the format "<version>+build.<counter>".

      The "+" character will be escaped to "+".

       

      Is it possible, that this is a bug?

        Attachments

          Activity

          Hide
          kinow Bruno P. Kinoshita added a comment -

          I reproduced the issue, but only when the "Groovy Sandbox" option is enabled for the script. Let me take a look what's going on.

          Show
          kinow Bruno P. Kinoshita added a comment - I reproduced the issue, but only when the "Groovy Sandbox" option is enabled for the script. Let me take a look what's going on.
          Hide
          kinow Bruno P. Kinoshita added a comment -

          Jens yup, we are intentionally sanitizing the values returned when the sandbox is enabled for security.

          We had an CVE in the past where certain values when not escaped could lead to security issues in the head node.

          You can disable that by unchecking the sandbox option. The code related is here:

          Our SafeHtmlExtendedMarkupFormatter is based on RawHtmlMarkupFormatter, which replaces `+` by the escaped code. But Jenkins' default formatter is the EscapedMarkupFormatter. I think we could either modify SafeHtmlExtendedMarkupFormatter to be more lenient as EscapedMarkupFormatter. Just need to figure out how to do that without causing another security CVE bug.

          Show
          kinow Bruno P. Kinoshita added a comment - Jens yup, we are intentionally sanitizing the values returned when the sandbox is enabled for security. We had an CVE in the past where certain values when not escaped could lead to security issues in the head node. You can disable that by unchecking the sandbox option. The code related is here: https://github.com/jenkinsci/active-choices-plugin/blob/75930aed5229e89282df264a079a81fb52d89ff1/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L250 https://github.com/jenkinsci/active-choices-plugin/blob/75930aed5229e89282df264a079a81fb52d89ff1/src/main/java/org/biouno/unochoice/util/SafeHtmlExtendedMarkupFormatter.java#L77 Our SafeHtmlExtendedMarkupFormatter is based on RawHtmlMarkupFormatter, which replaces `+` by the escaped code. But Jenkins' default formatter is the EscapedMarkupFormatter. I think we could either modify SafeHtmlExtendedMarkupFormatter to be more lenient as EscapedMarkupFormatter. Just need to figure out how to do that without causing another security CVE bug.

            People

            Assignee:
            kinow Bruno P. Kinoshita
            Reporter:
            grossmane Jens
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: