-
Bug
-
Resolution: Fixed
-
Critical
-
Jenkins 2.89.3
From the official Docker image: jenkins/jenkins:2.89.3
Having a (or multiple) single quote(s) in the password of the user used by Artifactory causes the job to crash when using the Conan package manager during the ConanAddUser step.
This is the classic SQL injection security hole. I just caught it because I'm running the job in a Docker contaier.
I've looked through the plugin code and I found that the single and probably best place where this can be escaped is in https://github.com/JFrogDev/jenkins-artifactory-plugin/blob/master/src/main/java/org/jfrog/hudson/util/plugins/PluginsUtils.java#L67
Or just before https://github.com/JFrogDev/jenkins-artifactory-plugin/blob/master/src/main/java/org/jfrog/hudson/util/Credentials.java#L43
Since after this the password is scrambled and cannot be escaped anymore.
In my desperation I've also asked on StackOverflow about this: https://stackoverflow.com/questions/48907089/jenkins-pipeline-with-docker-and-artifactory