jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-04-11 11:41:53 +02:00
Code Issues Releases Activity

fix: command injection vulnerability (#5161)

Browse Source 
due to missing quoting, command injection was possible via
pipeline configuration.

This is now fixed using a quoting and escaping utility.

Co-authored-by: Oliver Feldmann <oliver.feldmann@sap.com>
This commit is contained in:
Holger Partsch 2024-10-24 17:29:40 +02:00 committed by GitHub
parent 0c41f9c141
commit 8b4109bf85
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
test/groovy/TestsPublishResultsTest.groovy
View File

@ -1,3 +1,4 @@
import com.sap.piper.BashUtils
import org.junit.After
import org.junit.Before
import org.junit.Ignore
@ -9,8 +10,12 @@ import org.junit.rules.ExpectedException
import util.BasePiperTest
import util.JenkinsReadYamlRule
import util.JenkinsStepRule
import static org.hamcrest.Matchers.not
import static org.junit.Assert.assertEquals
import static org.junit.Assert.assertThat
import static org.junit.Assert.assertTrue
import static org.hamcrest.Matchers.containsString
import com.sap.piper.Utils
@ -230,4 +235,16 @@ class TestsPublishResultsTest extends BasePiperTest {
stepRule.step.testsPublishResults(script: nullScript, failOnError: true)
}
@Test
void testPublishUnitTestsWithUpdateResultsDoesNotAllowCommandExecution() throws Exception {
def injectString = "' -exec touch {} ; rm -rf / # –"
helper.registerAllowedMethod('sh', [String], { String cmd ->
assertThat(cmd, containsString(BashUtils.quoteAndEscape(injectString)))
})
stepRule.step.testsPublishResults(script: nullScript, junit: [pattern: injectString, archive: true, active: true, updateResults: true])
}
}

3
vars/testsPublishResults.groovy
View File

@ -1,4 +1,5 @@
import static com.sap.piper.Prerequisites.checkScript
import static com.sap.piper.BashUtils.quoteAndEscape as q
import com.sap.piper.GenerateDocumentation
import com.sap.piper.ConfigurationHelper
@ -193,7 +194,7 @@ void touchFiles(pattern){
echo "[${STEP_NAME}] update test results"
def patternArray = pattern.split(',')
for(def i = 0; i < patternArray.length; i++){
sh "find . -wholename '${patternArray[i].trim()}' -exec touch {} \\;"
sh "find . -wholename ${q(patternArray[i].trim())} -exec touch {} \\;"
}
}