Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29919

Pull Requests with double quotes cause build failures

    Details

    • Similar Issues:

      Description

      Pull requests with double quotes in the title of the PR are not properly escaped when used in invoking shell commands. The description is sent as part of the commands to the shell which causes the command to fail. This may be a possible command injection vulnerability for projects that are using this plugin and allow public pull requests.

      A chunk of the relevant log file:

      [workspace] $ hg --config ******** log --template "<changeset node='{node}' author='{author|xmlescape}' rev='{rev}' date='{date}'><msg>{desc|xmlescape}</msg><added>{file_adds|stringify|xmlescape}</added><deleted>{file_dels|stringify|xmlescape}</deleted><files>{files|stringify|xmlescape}</files><parents>{parents}</parents></changeset>\n" --rev BAL-3134:0 --follow --prune ae1822f7c61eab5bb14ef7cfb725d134ac4c893f --encoding UTF-8 --encodingmode replace
      [workspace] $ /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant -DsourceBranch=BAL-3134 -DdestinationRepositoryName=*** -DpullRequestId=1369 -DdestinationRepositoryOwner=*** -DrepositoryName=i3ballot_web '-DpullRequestTitle=BAL-3134 API: Error - MessageEngine Message queuer was not provided with an account id."' -DtargetBranch=default -DrepositoryOwner=*** build
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 336: unexpected EOF while looking for matching `"'
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: eval: line 337: syntax error: unexpected end of file
      /var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/redant/bin/ant: line 337: warning: syntax errors in . or eval will cause future versions of the shell to abort as Posix requires
      Build step 'Invoke Ant' marked build as failure
      

        Attachments

          Activity

          Hide
          edhgoose Edward Hartwell Goose added a comment -

          I confirm I am having the same problem, with the GitHub Pull Request Builder. Note the double quotes in the ghprbPullLongDescription ("15 => 0015")

          [workspace] $ ant -DghprbCommentBody=null -DghprbTriggerAuthorEmail= -DghprbTargetBranch=development -DghprbSourceBranch=fix-coupon-date-validation -DghprbCredentialsId=dbc6f525-77c4-4112-8fa6-b1457ee5e493 "-DghprbActualCommitAuthor=Author Name" -Dsha1=origin/pr/634/merge '-DghprbPullLongDescription=Unit test plus various fixes for Start and Expiry Date validation on coupons.
          \nThis is designed to prevent the "15 => 0015" year issue which someone keeps causing, plus tighten up the validation for other issues too.
          \n
          \n' -DghprbPullLink=https://github.com/company/Repo/pull/634 -DghprbActualCommit=0c070362ac697b55ae72bf71b7dba290e96ddad2 -DghprbTriggerAuthorLoginMention= -DghprbAuthorRepoGitUrl=https://github.com/company/Repo.git -DghprbPullAuthorEmail= -DGIT_BRANCH=fix-coupon-date-validation -DghprbPullAuthorLogin=author -DghprbGhRepository=repo/Repo -DghprbActualCommitAuthorEmail=tim@company.com -DghprbTriggerAuthor= -DghprbTriggerAuthorLogin= -DghprbPullId=634 "-DghprbPullTitle=Fixes #796. Fix date validation" -DghprbPullAuthorLoginMention=@author "-DghprbPullDescription=GitHub pull request #634 of commit 0c070362ac697b55ae72bf71b7dba290e96ddad2, no merge conflicts." build.fast
          
          BUILD FAILED
          Target "=" does not exist in the project "ProjectName". 
          
          Total time: 0 seconds
          Build step 'Invoke Ant' marked build as failure
          
          Show
          edhgoose Edward Hartwell Goose added a comment - I confirm I am having the same problem, with the GitHub Pull Request Builder. Note the double quotes in the ghprbPullLongDescription ("15 => 0015") [workspace] $ ant -DghprbCommentBody=null -DghprbTriggerAuthorEmail= -DghprbTargetBranch=development -DghprbSourceBranch=fix-coupon-date-validation -DghprbCredentialsId=dbc6f525-77c4-4112-8fa6-b1457ee5e493 "-DghprbActualCommitAuthor=Author Name" -Dsha1=origin/pr/634/merge '-DghprbPullLongDescription=Unit test plus various fixes for Start and Expiry Date validation on coupons. \nThis is designed to prevent the "15 => 0015" year issue which someone keeps causing, plus tighten up the validation for other issues too. \n \n' -DghprbPullLink=https://github.com/company/Repo/pull/634 -DghprbActualCommit=0c070362ac697b55ae72bf71b7dba290e96ddad2 -DghprbTriggerAuthorLoginMention= -DghprbAuthorRepoGitUrl=https://github.com/company/Repo.git -DghprbPullAuthorEmail= -DGIT_BRANCH=fix-coupon-date-validation -DghprbPullAuthorLogin=author -DghprbGhRepository=repo/Repo -DghprbActualCommitAuthorEmail=tim@company.com -DghprbTriggerAuthor= -DghprbTriggerAuthorLogin= -DghprbPullId=634 "-DghprbPullTitle=Fixes #796. Fix date validation" -DghprbPullAuthorLoginMention=@author "-DghprbPullDescription=GitHub pull request #634 of commit 0c070362ac697b55ae72bf71b7dba290e96ddad2, no merge conflicts." build.fast BUILD FAILED Target "=" does not exist in the project "ProjectName". Total time: 0 seconds Build step 'Invoke Ant' marked build as failure
          Hide
          ajmichels AJ Michels added a comment -

          We have encountered this issue also.

          Show
          ajmichels AJ Michels added a comment - We have encountered this issue also.

            People

            • Assignee:
              Unassigned
              Reporter:
              dstockto David Stockton
            • Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: