fix issue #88: Users able to edit build spec can execute arbitrary java

code
theonedev · Apr 10, 2020 · 4f5dc6f · 4f5dc6f
1 parent 4c2cf7a
commit 4f5dc6f
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/server-core/src/main/java/io/onedev/server/CoreModule.java b/server-core/src/main/java/io/onedev/server/CoreModule.java
@@ -60,6 +60,7 @@
 import org.hibernate.collection.internal.PersistentBag;
 import org.hibernate.exception.ConstraintViolationException;
 import org.hibernate.type.Type;
+import org.hibernate.validator.messageinterpolation.ParameterMessageInterpolator;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Lists;
@@ -309,7 +310,10 @@ protected void configure() {
 
 			@Override
 			public ValidatorFactory get() {
-				Configuration<?> configuration = Validation.byDefaultProvider().configure();
+				Configuration<?> configuration = Validation
+						.byDefaultProvider()
+						.configure()
+						.messageInterpolator(new ParameterMessageInterpolator());
 				return configuration.buildValidatorFactory();
 			}