From 5c5a24c6c3b2e1511382943f21eb260d4de3642c Mon Sep 17 00:00:00 2001 From: Timothy Brackett Date: Fri, 30 Jul 2021 23:44:00 +0000 Subject: [PATCH 1/4] Use https in URIs --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index e8b6964..f9e0423 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ 0.29-SNAPSHOT hpi Jenkins Valgrind Plug-in - http://wiki.jenkins-ci.org/display/JENKINS/Valgrind+Plugin + https://wiki.jenkins-ci.org/display/JENKINS/Valgrind+Plugin @@ -37,14 +37,14 @@ repo.jenkins-ci.org - http://repo.jenkins-ci.org/public/ + https://repo.jenkins-ci.org/public/ repo.jenkins-ci.org - http://repo.jenkins-ci.org/public/ + https://repo.jenkins-ci.org/public/ From b658eacdf5813aec5a68f88e3b64d2a26384189f Mon Sep 17 00:00:00 2001 From: Timothy Brackett Date: Fri, 30 Jul 2021 19:46:28 -0400 Subject: [PATCH 2/4] Remove illegal <> chars in doc comments --- .../java/org/jenkinsci/plugins/valgrind/ValgrindResult.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/jenkinsci/plugins/valgrind/ValgrindResult.java b/src/main/java/org/jenkinsci/plugins/valgrind/ValgrindResult.java index 7777f8f..a2a17c0 100644 --- a/src/main/java/org/jenkinsci/plugins/valgrind/ValgrindResult.java +++ b/src/main/java/org/jenkinsci/plugins/valgrind/ValgrindResult.java @@ -85,7 +85,7 @@ public String getSummary() throws IOException, InterruptedException /** * - * @param link expected to be in format "id=," + * @param link expected to be in format "id=<executable name>,<unique error id>" * @param request * @param response * @return valgrind detail(s) From 531a61b0760c5d0f52f147add3eaf8efd7103a21 Mon Sep 17 00:00:00 2001 From: Timothy Brackett Date: Thu, 29 Jul 2021 16:05:27 -0400 Subject: [PATCH 3/4] Prevent XXE --- .../jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java b/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java index 5f8cc16..b8fdeca 100644 --- a/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java +++ b/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java @@ -342,6 +342,9 @@ public ValgrindReport parse( final File file ) throws ParserConfigurationExcepti { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser saxParser = factory.newSAXParser(); Handler handler = new Handler(); From 52392cc39a1ca9fcddb7a3c615e0f224102d8a14 Mon Sep 17 00:00:00 2001 From: Timothy Brackett Date: Fri, 30 Jul 2021 19:47:43 -0400 Subject: [PATCH 4/4] Escape input from Valgrind XML to avoid XSS --- pom.xml | 5 +++++ .../jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java | 4 +++- .../plugins/valgrind/parser/ValgrindSaxParserTest.java | 2 +- .../org/jenkinsci/plugins/valgrind/parser/aux-data.xml | 2 +- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index f9e0423..9386ecd 100644 --- a/pom.xml +++ b/pom.xml @@ -62,6 +62,11 @@ test + + org.apache.commons + commons-text + 1.3 + org.easymock easymock diff --git a/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java b/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java index b8fdeca..2ec5de5 100644 --- a/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java +++ b/src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java @@ -8,6 +8,8 @@ import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; +import static org.apache.commons.text.StringEscapeUtils.escapeHtml4; + import org.jenkinsci.plugins.valgrind.model.ValgrindAuxiliary; import org.jenkinsci.plugins.valgrind.model.ValgrindError; import org.jenkinsci.plugins.valgrind.model.ValgrindErrorKind; @@ -329,7 +331,7 @@ public void characters(char ch[], int start, int length) throws SAXException if ( data == null ) return; - data.append(new String(ch,start,length)); + data.append(escapeHtml4(new String(ch,start,length))); } public ValgrindReport getReport() diff --git a/src/test/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParserTest.java b/src/test/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParserTest.java index 37b7e2c..4e4c36e 100644 --- a/src/test/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParserTest.java +++ b/src/test/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParserTest.java @@ -175,7 +175,7 @@ public void suppression() throws ParserConfigurationException, SAXException, IOE final String expectedSuppression = "{\n" + - " \n" + + " insert_a_suppression_name_here\n" + " Memcheck:Addr1\n" + " fun:memcpy@@GLIBC_2.14\n" + " fun:access_already_freed_memory_memcpy\n" + diff --git a/src/test/resources/org/jenkinsci/plugins/valgrind/parser/aux-data.xml b/src/test/resources/org/jenkinsci/plugins/valgrind/parser/aux-data.xml index 9137997..22e5b04 100644 --- a/src/test/resources/org/jenkinsci/plugins/valgrind/parser/aux-data.xml +++ b/src/test/resources/org/jenkinsci/plugins/valgrind/parser/aux-data.xml @@ -87,7 +87,7 @@ + insert_a_suppression_name_here Memcheck:Addr1 fun:memcpy@@GLIBC_2.14 fun:access_already_freed_memory_memcpy