From cac67947b95abdeffa10588942b900bdc8cde9da Mon Sep 17 00:00:00 2001 From: Holger Partsch Date: Thu, 24 Oct 2024 12:52:35 +0200 Subject: [PATCH] fix: command injection vulnerability due to missing quoting, command injection was possible via pipeline configuration. This is now fixed using a quoting and escaping utility. --- test/groovy/TestsPublishResultsTest.groovy | 17 +++++++++++++++++ vars/testsPublishResults.groovy | 3 ++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/test/groovy/TestsPublishResultsTest.groovy b/test/groovy/TestsPublishResultsTest.groovy index f851577880..94dd1c21c5 100644 --- a/test/groovy/TestsPublishResultsTest.groovy +++ b/test/groovy/TestsPublishResultsTest.groovy @@ -1,3 +1,4 @@ +import com.sap.piper.BashUtils import org.junit.After import org.junit.Before import org.junit.Ignore @@ -9,8 +10,12 @@ import org.junit.rules.ExpectedException import util.BasePiperTest import util.JenkinsReadYamlRule import util.JenkinsStepRule + +import static org.hamcrest.Matchers.not import static org.junit.Assert.assertEquals +import static org.junit.Assert.assertThat import static org.junit.Assert.assertTrue +import static org.hamcrest.Matchers.containsString import com.sap.piper.Utils @@ -230,4 +235,16 @@ class TestsPublishResultsTest extends BasePiperTest { stepRule.step.testsPublishResults(script: nullScript, failOnError: true) } + + @Test + void testPublishUnitTestsWithUpdateResultsDoesNotAllowCommandExecution() throws Exception { + def injectString = "' -exec touch {} ; rm -rf / # –" + helper.registerAllowedMethod('sh', [String], { String cmd -> + assertThat(cmd, containsString(BashUtils.quoteAndEscape(injectString))) + }) + + stepRule.step.testsPublishResults(script: nullScript, junit: [pattern: injectString, archive: true, active: true, updateResults: true]) + + + } } diff --git a/vars/testsPublishResults.groovy b/vars/testsPublishResults.groovy index 00a0685e55..e86521726d 100644 --- a/vars/testsPublishResults.groovy +++ b/vars/testsPublishResults.groovy @@ -1,4 +1,5 @@ import static com.sap.piper.Prerequisites.checkScript +import static com.sap.piper.BashUtils.quoteAndEscape as q import com.sap.piper.GenerateDocumentation import com.sap.piper.ConfigurationHelper @@ -193,7 +194,7 @@ void touchFiles(pattern){ echo "[${STEP_NAME}] update test results" def patternArray = pattern.split(',') for(def i = 0; i < patternArray.length; i++){ - sh "find . -wholename '${patternArray[i].trim()}' -exec touch {} \\;" + sh "find . -wholename ${q(patternArray[i].trim())} -exec touch {} \\;" } }