Mercurial > hg > mercurial
changeset 1063:4b6661db8a8a Lakhnau-2020.2.x
TW-70509 prohibit creating VCS root with either repo name or branch name containing suspicicios options
(grafted from 04407dc0f4967d24d53fe2a983afa4d11531684b)
author | victory.bedrosova |
---|---|
date | Thu, 11 Mar 2021 15:32:03 +0100 |
parents | 24b84c5028bf |
children | 471eaf5420c8 |
files | mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java |
diffstat | 2 files changed, 19 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java Thu Mar 11 14:59:12 2021 +0100 +++ b/mercurial-common/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/command/HgVcsRoot.java Thu Mar 11 15:32:03 2021 +0100 @@ -33,6 +33,8 @@ */ public class HgVcsRoot { public static final String DEFAULT_BRANCH_NAME = "default"; + + // prevent RCE, see TW-70054, TW-70541 public static final String[] PROHIBITED_OPTIONS = {"--config", "--debug", "--cwd"}; private final Map<String, String> myVcsRootProperties; @@ -280,15 +282,17 @@ return false; } - // prevent RCE, see TW-70054, TW-70541 @Nullable - private String getValidatedProperty(@NotNull String name) { - final String param = getProperty(name); + public String getValidatedProperty(@NotNull String name) { + return validateProperty(name, getProperty(name)); + } + + public static String validateProperty(@NotNull String name, @Nullable String param) { if (StringUtil.isEmpty(param)) return null; for (String s : PROHIBITED_OPTIONS) { if (param.contains(s)) { - throw new IllegalArgumentException(String.format("Parameter" + name + " is not allowed to contain %s substring for security reasons", s)); + throw new IllegalArgumentException(String.format("Parameter \"" + name + "\" is not allowed to contain \"%s\" substring for security reasons", s)); } } return param;
--- a/mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java Thu Mar 11 14:59:12 2021 +0100 +++ b/mercurial-server/src/jetbrains/buildServer/buildTriggers/vcs/mercurial/MercurialVcsSupport.java Thu Mar 11 15:32:03 2021 +0100 @@ -157,9 +157,20 @@ } if (isEmpty(properties.get(Constants.REPOSITORY_PROP))) { result.add(new InvalidProperty(Constants.REPOSITORY_PROP, "Repository must be specified")); + } else { + validateProperty(Constants.REPOSITORY_PROP, properties, result); } + validateProperty(Constants.BRANCH_NAME_PROP, properties, result); return result; } + + private void validateProperty(@NotNull String name, Map<String, String> properties, @NotNull List<InvalidProperty> result) { + try { + HgVcsRoot.validateProperty(name, properties.get(name)); + } catch (Exception e) { + result.add(new InvalidProperty(name, e.getMessage())); + } + } }; }