[SECURITY-1373]

src/main/java/io/jenkins/plugins/analysis/core/model/StaticAnalysisLabelProvider.java

@@ -20,6 +20,7 @@
 import io.jenkins.plugins.analysis.core.scm.Blames;
 import io.jenkins.plugins.analysis.core.util.JenkinsFacade;
 import io.jenkins.plugins.analysis.core.util.QualityGateStatus;
+import io.jenkins.plugins.analysis.core.util.Sanitizer;
 
 import static j2html.TagCreator.*;
 
@@ -31,6 +32,8 @@
  * @author Ullrich Hafner
  */
 public class StaticAnalysisLabelProvider implements DescriptionProvider {
+    private static final Sanitizer SANITIZER = new Sanitizer();
+
     private static final String ICONS_PREFIX = "/plugin/warnings-ng/icons/";
     private static final String SMALL_ICON_URL = ICONS_PREFIX + "analysis-24x24.png";
     private static final String LARGE_ICON_URL = ICONS_PREFIX + "analysis-48x48.png";
@@ -65,7 +68,7 @@ public StaticAnalysisLabelProvider(final String id, @Nullable final String name)
     @VisibleForTesting
     StaticAnalysisLabelProvider(final String id, @Nullable final String name, final JenkinsFacade jenkins) {
         this.id = id;
-        this.name = name;
+        this.name = SANITIZER.render(name);
         this.jenkins = jenkins;
     }
 

src/test/java/io/jenkins/plugins/analysis/core/model/ConsoleDetailTest.java

@@ -27,6 +27,16 @@ void shouldDetectConsoleLog() {
         assertThat(ConsoleLogHandler.isInConsoleLog("blog")).isFalse();
     }
 
+    @Test
+    void shouldEscapeEntities() {
+        Stream<String> lines = Stream.of("<b>CheckStyle</b> <script>execute</script>");
+        ConsoleDetail consoleDetail = new ConsoleDetail(mock(Run.class), lines, 1, 2);
+
+        assertThat(consoleDetail.getSourceCode())
+                .doesNotContain("<b>CheckStyle</b> <script>execute</script>")
+                .contains("&lt;b&gt;CheckStyle&lt;/b&gt; &lt;script&gt;execute&lt;");
+    }
+
     @Test
     void shouldShowLinesOfConsoleLogStartAtBeginning() {
         ConsoleDetail consoleDetail = new ConsoleDetail(mock(Run.class), createLines(1, 20), 1, 2);
@@ -68,4 +78,4 @@ private Stream<String> createLines(final int start, final int end) {
         }
         return lines.stream();
     }
-}
+}

src/test/java/io/jenkins/plugins/analysis/core/model/SummaryTest.java

@@ -10,6 +10,7 @@
 import org.eclipse.collections.impl.factory.Lists;
 import org.eclipse.collections.impl.factory.Maps;
 import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.Issue;
 
 import hudson.model.BallColor;
 import hudson.model.Run;
@@ -32,6 +33,28 @@ class SummaryTest {
     private static final FixedSizeMap<String, Integer> EMPTY_ORIGINS = Maps.fixedSize.empty();
     private static final ImmutableList<String> EMPTY_ERRORS = Lists.immutable.empty();
 
+    @Test
+    @Issue("SECURITY-1373")
+    void shouldSanitizeName() {
+        AnalysisResult analysisResult = createAnalysisResult(EMPTY_ORIGINS, 0, 0,
+                Lists.immutable.of("Error 1", "Error 2"), 0);
+
+        Locale.setDefault(Locale.ENGLISH);
+
+        LabelProviderFactoryFacade facade = mock(LabelProviderFactoryFacade.class);
+        StaticAnalysisLabelProvider checkStyleLabelProvider = createLabelProvider("checkstyle",
+                "<b>CheckStyle</b> <script>execute</script>");
+        when(facade.get("checkstyle")).thenReturn(checkStyleLabelProvider);
+
+        Summary summary = new Summary(checkStyleLabelProvider, analysisResult, facade);
+        setResetReferenceAction(summary, false);
+
+        String createdHtml = summary.create();
+
+        assertThat(createdHtml).contains("<b>CheckStyle</b>");
+        assertThat(createdHtml).doesNotContain("<script>execute</script>");
+    }
+
     @Test
     void shouldShowAggregatedWarnings() {
         AnalysisResult analysisResult = createAnalysisResult(EMPTY_ORIGINS, 0, 0,
@@ -293,11 +316,15 @@ private Summary createSummary(final AnalysisResult analysisResult, final boolean
         when(facade.get("pmd")).thenReturn(pmdLabelProvider);
 
         Summary summary = new Summary(createLabelProvider("test", "SummaryTest"), analysisResult, facade);
+        setResetReferenceAction(summary, isResetReferenceAvailable);
+
+        return summary;
+    }
+
+    private void setResetReferenceAction(final Summary summary, final boolean isResetReferenceAvailable) {
         ResetQualityGateCommand resetQualityGateCommand = mock(ResetQualityGateCommand.class);
         when(resetQualityGateCommand.isEnabled(any(), any())).thenReturn(isResetReferenceAvailable);
         summary.setResetQualityGateCommand(resetQualityGateCommand);
-
-        return summary;
     }
 
     private AnalysisResult createAnalysisResult(final Map<String, Integer> sizesPerOrigin,
@@ -323,11 +350,11 @@ private AnalysisResult createAnalysisResult(final Map<String, Integer> sizesPerO
         return analysisRun;
     }
 
-    private StaticAnalysisLabelProvider createLabelProvider(final String checkstyle, final String checkStyle) {
+    private StaticAnalysisLabelProvider createLabelProvider(final String id, final String name) {
         JenkinsFacade jenkins = mock(JenkinsFacade.class);
         when(jenkins.getImagePath(any(BallColor.class))).thenReturn("color");
         when(jenkins.getAbsoluteUrl(any())).thenReturn("absoluteUrl");
-        return new StaticAnalysisLabelProvider(checkstyle, checkStyle, jenkins);
+        return new StaticAnalysisLabelProvider(id, name, jenkins);
     }
 
     private Pattern createWarningsLink(final String href) {