Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64982

Special Character like the '+' character for single select param, will be escaped to HTML code

      Since Release 2.5 and implementation of SECURITY-2008 - CVE-2020-2290 we can't use the '+' character in our single select list.

      For example:

      We have a "Active Choises Parameter" with Choice Type "Single Select" to choose a version. Our versions have the format "<version>+build.<counter>".

      The "+" character will be escaped to "+".

       

      Is it possible, that this is a bug?

          [JENKINS-64982] Special Character like the '+' character for single select param, will be escaped to HTML code

          I reproduced the issue, but only when the "Groovy Sandbox" option is enabled for the script. Let me take a look what's going on.

          Bruno P. Kinoshita added a comment - I reproduced the issue, but only when the "Groovy Sandbox" option is enabled for the script. Let me take a look what's going on.

          grossmane yup, we are intentionally sanitizing the values returned when the sandbox is enabled for security.

          We had an CVE in the past where certain values when not escaped could lead to security issues in the head node.

          You can disable that by unchecking the sandbox option. The code related is here:

          Our SafeHtmlExtendedMarkupFormatter is based on RawHtmlMarkupFormatter, which replaces `+` by the escaped code. But Jenkins' default formatter is the EscapedMarkupFormatter. I think we could either modify SafeHtmlExtendedMarkupFormatter to be more lenient as EscapedMarkupFormatter. Just need to figure out how to do that without causing another security CVE bug.

          Bruno P. Kinoshita added a comment - grossmane yup, we are intentionally sanitizing the values returned when the sandbox is enabled for security. We had an CVE in the past where certain values when not escaped could lead to security issues in the head node. You can disable that by unchecking the sandbox option. The code related is here: https://github.com/jenkinsci/active-choices-plugin/blob/75930aed5229e89282df264a079a81fb52d89ff1/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L250 https://github.com/jenkinsci/active-choices-plugin/blob/75930aed5229e89282df264a079a81fb52d89ff1/src/main/java/org/biouno/unochoice/util/SafeHtmlExtendedMarkupFormatter.java#L77 Our SafeHtmlExtendedMarkupFormatter is based on RawHtmlMarkupFormatter, which replaces `+` by the escaped code. But Jenkins' default formatter is the EscapedMarkupFormatter. I think we could either modify SafeHtmlExtendedMarkupFormatter to be more lenient as EscapedMarkupFormatter. Just need to figure out how to do that without causing another security CVE bug.

            kinow Bruno P. Kinoshita
            grossmane Jens
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: