changeset 1062:04407dc0f496

TW-70509 prohibit creating VCS root with either repo name or branch name containing suspicicios options
author victory.bedrosova
date Thu, 11 Mar 2021 15:32:03 +0100
parents b5967ce6f557
children 732fffb4c213
files mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java
diffstat 2 files changed, 19 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java	Thu Mar 11 14:59:12 2021 +0100
+++ b/mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java	Thu Mar 11 15:32:03 2021 +0100
@@ -33,6 +33,8 @@
  */
 public class HgVcsRoot {
   public static final String DEFAULT_BRANCH_NAME = "default";
+
+  // prevent RCE, see TW-70054, TW-70541
   public static final String[] PROHIBITED_OPTIONS = {"--config", "--debug", "--cwd"};
 
   private final Map<String, String> myVcsRootProperties;
@@ -280,15 +282,17 @@
     return false;
   }
 
-  // prevent RCE, see TW-70054, TW-70541
   @Nullable
-  private String getValidatedProperty(@NotNull String name) {
-    final String param = getProperty(name);
+  public String getValidatedProperty(@NotNull String name) {
+    return validateProperty(name, getProperty(name));
+  }
+
+  public static String validateProperty(@NotNull String name, @Nullable String param) {
     if (StringUtil.isEmpty(param)) return null;
 
     for (String s : PROHIBITED_OPTIONS) {
       if (param.contains(s)) {
-        throw new IllegalArgumentException(String.format("Parameter" + name + " is not allowed to contain %s substring for security reasons", s));
+        throw new IllegalArgumentException(String.format("Parameter \"" + name + "\" is not allowed to contain \"%s\" substring for security reasons", s));
       }
     }
     return param;
--- a/mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java	Thu Mar 11 14:59:12 2021 +0100
+++ b/mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java	Thu Mar 11 15:32:03 2021 +0100
@@ -157,9 +157,20 @@
         }
         if (isEmpty(properties.get(Constants.REPOSITORY_PROP))) {
           result.add(new InvalidProperty(Constants.REPOSITORY_PROP, "Repository must be specified"));
+        } else {
+          validateProperty(Constants.REPOSITORY_PROP, properties, result);
         }
+        validateProperty(Constants.BRANCH_NAME_PROP, properties, result);
         return result;
       }
+
+      private void validateProperty(@NotNull String name, Map<String, String> properties, @NotNull List<InvalidProperty> result) {
+        try {
+          HgVcsRoot.validateProperty(name, properties.get(name));
+        } catch (Exception e) {
+          result.add(new InvalidProperty(name, e.getMessage()));
+        }
+      }
     };
   }