Skip to content
Permalink
Browse files
Merge pull request #22 from ikedam/feature/JENKINS-42902_htmlEscape
[JENKINS-42902] Sanitize names and descriptions
  • Loading branch information
ikedam committed Jun 3, 2017
2 parents 3b978da + cabe08a commit 92487b29478c8b2cf296889cb25c5292f2b9dc55
35 pom.xml
@@ -21,9 +21,9 @@
</scm>

<properties>
<jenkins.version>1.509</jenkins.version>
<jenkins-test-harness.version>1.509</jenkins-test-harness.version>
<java.level>5</java.level>
<jenkins.version>1.532</jenkins.version> <!-- ParameterDefinition#getFormattedDescription is since 1.520 -->
<jenkins-test-harness.version>1.532</jenkins-test-harness.version>
<java.level>6</java.level>
</properties>

<repositories>
@@ -66,35 +66,6 @@
<forkCount>1</forkCount>
</configuration>
</plugin>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>display-info</id>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<!-- <exclude>org.sonatype.sisu:sisu-guice</exclude> -->
<exclude>log4j:log4j:*:jar:compile</exclude>
<exclude>log4j:log4j:*:jar:runtime</exclude>
<exclude>commons-logging:commons-logging:*:jar:compile</exclude>
<exclude>commons-logging:commons-logging:*:jar:runtime</exclude>
</excludes>
</bannedDependencies>
<enforceBytecodeVersion>
<excludes combine.children="append">
<exclude>com.sonyericsson.hudson.plugins.rebuild:rebuild</exclude>
<!-- dependencies via jenkins-core-1.509 -->
<exclude>org.mindrot:jbcrypt</exclude>
<exclude>org.kohsuke:asm3</exclude>
</excludes>
</enforceBytecodeVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
@@ -23,17 +23,22 @@
*/
package hudson.plugins.matrix_configuration_parameter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.annotation.Nonnull;

import hudson.markup.MarkupFormatter;
import hudson.matrix.AxisList;
import hudson.matrix.Combination;
import hudson.model.*;

import hudson.util.VariableResolver;
import jenkins.model.Jenkins;

import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
@@ -45,6 +50,8 @@
public class MatrixCombinationsParameterValue extends ParameterValue {
private static final long serialVersionUID = 1L;

private static final Logger LOGGER = Logger.getLogger(MatrixCombinationsParameterValue.class.getName());

private List<String> combinations;

@Deprecated
@@ -186,4 +193,25 @@ public String toString() {
}
return valueStr.toString();
}

/**
* return parameter description, applying the configured {@link MarkupFormatter} for jenkins instance.
*
* This is a backport from Jenkins-2.44 or Jenkins-2.32.2.
*
* @since 1.2.0
*/
public String getFormattedDescription() {
try {
return Jenkins.getInstance().getMarkupFormatter().translate(getDescription());
} catch (IOException e) {
LOGGER.log(
Level.WARNING,
"failed to translate description using configured markup formatter: {0}",
getDescription()
);
return "";
}
}

}
@@ -29,7 +29,7 @@ THE SOFTWARE.
<f:textbox field="name" />
</f:entry>
<f:entry title="${%Description}" help="/help/parameter/description.html">
<f:textarea field="description" />
<f:textarea field="description" previewEndpoint="/markupFormatter/previewDescription" />
</f:entry>
<f:advanced>
<f:entry field="defaultCombinationFilter" title="${%Default Filter}">
@@ -23,7 +23,8 @@ String nameIt = it.getName();
MatrixProject project = request.findAncestorObject(MatrixProject.class);
if (project == null) {
//in case project is not a Matrix Project
f.entry(title: nameIt, description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(nameIt), description: it.formattedDescription) {
div(name: "parameter") {
input(type: "hidden", name: "name", value: nameIt)
text(_("Not applicable. Applicable only to multi-configuration projects."))
@@ -46,7 +47,8 @@ Layouter layouter = new Layouter<Combination>(axes) {
drawMainBody(paramDef, f, nameIt, axes, project, project.lastBuild, layouter)

private void drawMainBody(MatrixCombinationsParameterDefinition paramDef, Namespace f, String nameIt, AxisList axes,MatrixProject project,MatrixBuild build,Layouter layouter) {
f.entry(title: nameIt, description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(nameIt), description: it.formattedDescription) {
div(name: "parameter", class: "matrix-combinations-parameter") {
input(type: "hidden", name: "name", value: nameIt)
nsProject.matrix(it: project, layouter: layouter) {
@@ -24,7 +24,8 @@ MatrixProject project = request.findAncestorObject(MatrixProject.class);
MatrixBuild build = request.findAncestorObject(MatrixBuild.class);
if (project == null || build == null) {
//in case you are looking at a specific run, MatrixRun Ancestor will replace the MatrixBuild
f.entry(title: valueIt.getName(), description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(valueIt.name), description: it.formattedDescription) {
// In the case the parameter is not defined in this project,
// sending parameters cause rebuild-plugin throws exception.
// Acts as if I'm not here.
@@ -49,7 +50,8 @@ drawParameterBody(parameterDefinition, f, valueIt, axes, project, build, layoute


private void drawParameterBody(MatrixCombinationsParameterDefinition paramDef, Namespace f,valueIt,AxisList axes,MatrixProject project,MatrixBuild build,Layouter layouter) {
f.entry(title: valueIt.getName(), description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(valueIt.name), description: it.formattedDescription) {
div(name: "parameter", class: "matrix-combinations-parameter") {
input(type: "hidden", name: "name", value: valueIt.getName())
nsProject.matrix(it: build, layouter: layouter) {
@@ -20,7 +20,8 @@ MatrixProject project = request.findAncestorObject(MatrixProject.class);
MatrixBuild build = request.findAncestorObject(MatrixBuild.class);
if (project == null || build == null) {
//in case you are looking at a specific run, MatrixRun Ancestor will replace the MatrixBuild
f.entry(title: valueIt.getName(), description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(valueIt.name), description: it.formattedDescription) {
div(name: "parameter") {
input(type: "hidden", name: "name", value: valueIt.getName())
text(_("Not applicable. Applicable only to multi-configuration projects."))
@@ -40,7 +41,8 @@ drawParameterBody(f, valueIt, axes, project, build, layouter);


private void drawParameterBody(Namespace f,MatrixCombinationsParameterValue valueIt,AxisList axes,MatrixProject project,MatrixBuild build,Layouter layouter) {
f.entry(title: valueIt.getName(), description: it.getDescription()) {
set("escapeEntryTitleAndDescription", false);
f.entry(title: h.escape(valueIt.name), description: it.formattedDescription) {
div(name: "parameter", class: "matrix-combinations-parameter") {
input(type: "hidden", name: "name", value: valueIt.getName())
nsProject.matrix(it: build, layouter: layouter) {
@@ -40,6 +40,7 @@
import hudson.model.queue.QueueTaskFuture;
import hudson.model.Result;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
@@ -616,4 +617,46 @@ public void testBuildWithParameters() throws Exception {
assertNull(b.getExactRun(new Combination(axes, "value2")));
assertNotNull(b.getExactRun(new Combination(axes, "value3")));
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

WebClient wc = j.createAllow405WebClient();
HtmlPage page = wc.getPage(p, "build");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
@@ -25,6 +25,7 @@
package hudson.plugins.matrix_configuration_parameter;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;

import java.util.Arrays;
@@ -41,9 +42,11 @@
import hudson.model.ParametersDefinitionProperty;
import jenkins.model.Jenkins;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlPage;
@@ -174,4 +177,50 @@ public void testReadResolveOfDefaultMatrixCombinationsParameterValue() throws Ex
v.getCombinationFilter()
);
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "parameters");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}
@@ -41,9 +41,11 @@
import hudson.model.Result;
import hudson.model.StringParameterValue;

import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule.WebClient;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
@@ -217,4 +219,50 @@ public void testShortcut() throws Exception {
j.assertCombinationChecked(page, true, axes, "value2");
j.assertCombinationChecked(page, false, axes, "value3");
}

@Issue("JENKINS-42902")
@Test
public void testSafeTitle() throws Exception {
AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"<span id=\"test-not-expected\">combinations</span>",
""
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNull(page.getElementById("test-not-expected"));
}

@Issue("JENKINS-42902")
@Test
public void testSafeDescription() throws Exception {
Assume.assumeNotNull(j.jenkins.getMarkupFormatter());

AxisList axes = new AxisList(new TextAxis("axis1", "value1", "value2", "value3"));
MatrixProject p = j.createMatrixProject();
p.setAxes(axes);
p.addProperty(new ParametersDefinitionProperty(
new MatrixCombinationsParameterDefinition(
"combinations",
"<span id=\"test-expected\">blahblah</span>"
+ "<script id=\"test-not-expected\"></script>"
)
));

MatrixBuild b = j.assertBuildStatusSuccess(p.scheduleBuild2(0).get());

WebClient wc = j.createWebClient();
HtmlPage page = wc.getPage(b, "rebuild");

assertNotNull(page.getElementById("test-expected"));
assertNull(page.getElementById("test-not-expected"));
}
}

0 comments on commit 92487b2

Please sign in to comment.