[SECURITY-2828]

jenkinsci · Oct 12, 2022 · cee2751 · cee2751
1 parent 80cc954
commit cee2751
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java b/rest-api/src/main/java/com/cloudbees/workflow/rest/endpoints/RunAPI.java
@@ -45,6 +45,10 @@
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeoutException;
@@ -85,7 +89,11 @@ public static String getArtifactsUrl(WorkflowRun run) {
     }
 
     public static String getInputStepSubmitUrl(WorkflowRun run, String inputId) {
-        return getUrl(run) + "inputSubmit?inputId=" + inputId;
+        try {
+            return getUrl(run) + "inputSubmit?inputId=" + URLEncoder.encode(inputId, StandardCharsets.UTF_8.name());
+        } catch (UnsupportedEncodingException e) {
+            throw new AssertionError("UTF-8 is a mandated charset, yet the JVM does not provide support for it", e);
+        }
     }
 
     public static String getArtifactUrl(WorkflowRun run, Run<WorkflowJob, WorkflowRun>.Artifact artifact) {

diff --git a/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java b/rest-api/src/main/java/com/cloudbees/workflow/rest/external/PendingInputActionsExt.java
@@ -26,6 +26,7 @@
 import com.cloudbees.workflow.rest.endpoints.RunAPI;
 import com.cloudbees.workflow.util.ModelUtil;
 import com.fasterxml.jackson.annotation.JsonInclude;
+import hudson.Util;
 import hudson.model.ParameterDefinition;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.jenkinsci.plugins.workflow.support.steps.input.InputAction;
@@ -117,7 +118,7 @@ public static PendingInputActionsExt create(InputStepExecution inputStepExecutio
         String runUrl = ModelUtil.getFullItemUrl(run.getUrl());
         inputActionExt.setInputs(getInputParams(inputId, run));
         inputActionExt.setProceedUrl(RunAPI.getInputStepSubmitUrl(run, inputId));
-        inputActionExt.setAbortUrl(runUrl + "input/" + inputId + "/abort");
+        inputActionExt.setAbortUrl(runUrl + "input/" + Util.rawEncode(inputId) + "/abort");
         inputActionExt.setRedirectApprovalUrl(runUrl + "input/");
 
         return inputActionExt;