From 007d058f0de13082f66aeba135aec445f3b5f6a4 Mon Sep 17 00:00:00 2001 From: James Nord Date: Wed, 12 Oct 2022 22:12:58 +0200 Subject: [PATCH] [SECURITY-2828] (cherry picked from commit cee275109ee748fa9f599ec60159807a28a2933f) --- .../com/cloudbees/workflow/rest/endpoints/RunAPI.java | 10 +++++++++- .../workflow/rest/external/PendingInputActionsExt.java | 3 ++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java b/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java index 1c3087a9..4f8b1b01 100644 --- a/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java +++ b/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java @@ -45,6 +45,10 @@ import org.kohsuke.stapler.interceptor.RequirePOST; import javax.servlet.ServletException; +import java.io.UnsupportedEncodingException; +import java.net.URLEncoder; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.concurrent.TimeoutException; @@ -85,7 +89,11 @@ public static String getArtifactsUrl(WorkflowRun run) { } public static String getInputStepSubmitUrl(WorkflowRun run, String inputId) { - return getUrl(run) + "inputSubmit?inputId=" + inputId; + try { + return getUrl(run) + "inputSubmit?inputId=" + URLEncoder.encode(inputId, StandardCharsets.UTF_8.name()); + } catch (UnsupportedEncodingException e) { + throw new AssertionError("UTF-8 is a mandated charset, yet the JVM does not provide support for it", e); + } } public static String getArtifactUrl(WorkflowRun run, Run.Artifact artifact) { diff --git a/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java b/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java index 3c77c964..2a6d1d02 100644 --- a/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java +++ b/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java @@ -26,6 +26,7 @@ import com.cloudbees.workflow.rest.endpoints.RunAPI; import com.cloudbees.workflow.util.ModelUtil; import com.fasterxml.jackson.annotation.JsonInclude; +import hudson.Util; import hudson.model.ParameterDefinition; import org.jenkinsci.plugins.workflow.job.WorkflowRun; import org.jenkinsci.plugins.workflow.support.steps.input.InputAction; @@ -117,7 +118,7 @@ public static PendingInputActionsExt create(InputStepExecution inputStepExecutio String runUrl = ModelUtil.getFullItemUrl(run.getUrl()); inputActionExt.setInputs(getInputParams(inputId, run)); inputActionExt.setProceedUrl(RunAPI.getInputStepSubmitUrl(run, inputId)); - inputActionExt.setAbortUrl(runUrl + "input/" + inputId + "/abort"); + inputActionExt.setAbortUrl(runUrl + "input/" + Util.rawEncode(inputId) + "/abort"); inputActionExt.setRedirectApprovalUrl(runUrl + "input/"); return inputActionExt;