Skip to content

Commit 39d95ab

Browse files
committed
Escape pattern field of build job param to prevent security vulnerability
1 parent 0df578a commit 39d95ab

File tree

3 files changed

+4
-3
lines changed

3 files changed

+4
-3
lines changed

Diff for: server-core/src/main/java/io/onedev/server/model/support/inputspec/InputSpec.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ public List<String> getPossibleValues() {
105105
return Lists.newArrayList();
106106
}
107107

108-
protected String escape(String string) {
108+
public static String escape(String string) {
109109
String escaped = JavaEscape.escapeJava(string);
110110
// escape $ character since it has special meaning in groovy string
111111
escaped = escaped.replace("$", "\\$");

Diff for: server-core/src/main/java/io/onedev/server/model/support/inputspec/textinput/TextInput.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ public class TextInput {
1515

1616
public static String getPropertyDef(InputSpec inputSpec, Map<String, Integer> indexes,
1717
String pattern, DefaultValueProvider defaultValueProvider) {
18+
pattern = InputSpec.escape(pattern);
1819
int index = indexes.get(inputSpec.getName());
1920
StringBuffer buffer = new StringBuffer();
2021
inputSpec.appendField(buffer, index, "String");
@@ -24,7 +25,7 @@ public static String getPropertyDef(InputSpec inputSpec, Map<String, Integer> in
2425
if (pattern != null)
2526
buffer.append(" @Pattern(regexp=\"" + pattern + "\", message=\"Should match regular expression: " + pattern + "\")\n");
2627
inputSpec.appendMethods(buffer, index, "String", null, defaultValueProvider);
27-
28+
2829
return buffer.toString();
2930
}
3031

Diff for: server-product/src/test/java/io/onedev/server/product/Test.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,5 @@ public class Test {
55
@org.junit.Test
66
public void test() {
77
}
8-
8+
99
}

0 commit comments

Comments
 (0)