Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62036

Issue parsers display incorrect data when message or description contains HTML

    Details

    • Similar Issues:

      Description

      All issue parsers in analysis-model extend IssueParser which need to parse a stream into a Report made up of Issue instances (among other thing). These Issue instances are usually created by extracting text from the console log or other log files. I haven't looked through all 100+ times it is used, but in the vast majority of cases, IssueBuilder.setMessage() is invoked with regex match groups, and those contents are treated as raw HTML (using the Unescaped class). Based on the various issue parsers I've used and looked at, they don't seem to expect HTML, though they can make use of it.

      Thanks to the use of the OWASP Markup Formatter, nothing malicious can be injected, but any supported HTML and special characters will be interpreted as such when parsed from the console log.

        Attachments

          Activity

          Hide
          drulli Ulli Hafner added a comment -

          Do you have an example that is printed incorrectly? I labeled this issue as a newbie-friedly hackfest issue, so an example would be helpful.

          Show
          drulli Ulli Hafner added a comment - Do you have an example that is printed incorrectly? I labeled this issue as a newbie-friedly hackfest issue, so an example would be helpful.
          Hide
          jvz Matt Sicker added a comment -

          The way I reproduced this issue was to cat a modified log file in a build and then scanned it for issues. I changed some text that I knew would be scanned and parsed to add some HTML which was not escaped.

          Show
          jvz Matt Sicker added a comment - The way I reproduced this issue was to cat a modified log file in a build and then scanned it for issues. I changed some text that I knew would be scanned and parsed to add some HTML which was not escaped.

            People

            • Assignee:
              Unassigned
              Reporter:
              jvz Matt Sicker
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: