Compatibility with SECURITY-2880 fix

Co-authored-by: James Nord <jtnord@users.noreply.github.com>

Author: daniel-beck

pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/RuntimeASTTransformer.groovy

@@ -25,6 +25,7 @@
 package org.jenkinsci.plugins.pipeline.modeldefinition.parser
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings
+import hudson.Util
 import hudson.model.JobProperty
 import hudson.model.ParameterDefinition
 import hudson.model.Run
@@ -742,9 +743,15 @@ public class RuntimeASTTransformer {
             if (!original.parameters.isEmpty()) {
                 paramsExpr = wrapper.asWrappedScriptContextVariable(transformListOfDescribables(original.parameters, ParameterDefinition.class))
             }
+
+            String id = stageName
+            if (stageName != null && !SystemProperties.getBoolean(RuntimeASTTransformer.class.name + '.retainOriginalStageNameForInputId')) {
+                id = Util.getDigestOf(stageName)
+            }
+
             return wrapper.asExternalMethodCall(ctorX(ClassHelper.make(StageInput.class),
                 args(valueOrNull(original.message),
-                    valueOrNull(original.id, stageName),
+                    valueOrNull(original.id, id),
                     valueOrNull(original.ok),
                     valueOrNull(original.submitter),
                     valueOrNull(original.submitterParameter),

pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/generator/InputDirective.java

@@ -134,6 +134,44 @@ public FormValidation doCheckMessage(@QueryParameter String value) {
             }
         }
 
+        public FormValidation doCheckId(@QueryParameter String id) {
+            // TODO post SECURITY-2880 update the pipeline-input-step dependency and call the InputStep descriptor check
+
+            // https://www.rfc-editor.org/rfc/rfc3986.txt
+            // URLs may only contain ascii
+            // and only some parts are allowed
+            //      segment       = *pchar
+            //      segment-nz    = 1*pchar
+            //      segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
+            //                      ; non-zero-length segment without any colon ":"
+            //      pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
+            //      unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
+            //      sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
+            //                      / "*" / "+" / "," / ";" / "="
+
+            // but we are not allowing pct-encoded here.
+            // additionally "." and ".." should be rejected.
+            // and as we are using html / javascript in places we disallow "'"
+            // and to prevent escaping hell disallow "&"
+
+            // as well as anything unsafe we disallow . and .. (but we can have a dot inside the string so foo.bar is ok)
+            // also Jenkins dissallows ; in the request parameter so don't allow that either.
+            if (id == null || id.isEmpty()) {
+                // the id will be provided by a hash of the message
+                return FormValidation.ok();
+            }
+            if (id.equals(".")) {
+                return FormValidation.error("The ID is required to be URL safe and is limited to the characters a-z A-Z, the digits 0-9 and additionally the characters ':' '@' '=' '+' '$' ',' '-' '_' '.' '!' '~' '*' '(' ')'.");
+            }
+            if (id.equals("..")) {
+                return FormValidation.error("The ID is required to be URL safe and is limited to the characters a-z A-Z, the digits 0-9 and additionally the characters ':' '@' '=' '+' '$' ',' '-' '_' '.' '!' '~' '*' '(' ')'.");
+            }
+            if (!id.matches("^[a-zA-Z0-9[-]._~!$()*+,:@=]+$")) { // escape the - inside another [] so it does not become a range of , - _
+                return FormValidation.error("The ID is required to be URL safe and is limited to the characters a-z A-Z, the digits 0-9 and additionally the characters ':' '@' '=' '+' '$' ',' '-' '_' '.' '!' '~' '*' '(' ')'.");
+            }
+            return FormValidation.ok();
+        }
+
         @Override
         @NonNull
         public String toGroovy(@NonNull InputDirective directive) {

pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/MatrixTest.java

@@ -24,10 +24,12 @@
 package org.jenkinsci.plugins.pipeline.modeldefinition;
 
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.Util;
 import hudson.model.Result;
 import hudson.model.Slave;
 import hudson.model.queue.QueueTaskFuture;
 import hudson.slaves.EnvironmentVariablesNodeProperty;
+import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.pipeline.StageStatus;
 import org.jenkinsci.plugins.pipeline.modeldefinition.parser.RuntimeASTTransformer;
 import org.jenkinsci.plugins.workflow.actions.TagsAction;
@@ -774,7 +776,7 @@ public void matrixInput() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Matrix - AXIS_VALUE = 'A'");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Matrix - AXIS_VALUE = 'A'")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -784,7 +786,7 @@ public void matrixInput() throws Exception {
 
         assertEquals(1, a.getExecutions().size());
 
-        is1 = a.getExecution("Matrix - AXIS_VALUE = 'B'");
+        is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Matrix - AXIS_VALUE = 'B'")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -824,7 +826,7 @@ public void matrixInputChildStage() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Cell");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Cell")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -834,7 +836,7 @@ public void matrixInputChildStage() throws Exception {
 
         assertEquals(1, a.getExecutions().size());
 
-        is1 = a.getExecution("Cell");
+        is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Cell")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -874,7 +876,7 @@ public void matrixInputWhen() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Matrix - AXIS_VALUE = 'A'");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Matrix - AXIS_VALUE = 'A'")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -884,7 +886,7 @@ public void matrixInputWhen() throws Exception {
 
         assertEquals(1, a.getExecutions().size());
 
-        is1 = a.getExecution("Matrix - AXIS_VALUE = 'B'");
+        is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Matrix - AXIS_VALUE = 'B'")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -925,7 +927,7 @@ public void matrixInputWhenChildStage() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Cell");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Cell")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -935,7 +937,7 @@ public void matrixInputWhenChildStage() throws Exception {
 
         assertEquals(1, a.getExecutions().size());
 
-        is1 = a.getExecution("Cell");
+        is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Cell")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -976,7 +978,7 @@ public void matrixInputWhenBeforeInput() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Matrix - AXIS_VALUE = 'A'");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Matrix - AXIS_VALUE = 'A'")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
@@ -1017,7 +1019,7 @@ public void matrixInputWhenBeforeInputChildStage() throws Exception {
         JenkinsRule.WebClient wc = j.createWebClient();
         HtmlPage page;
 
-        InputStepExecution is1 = a.getExecution("Cell");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Cell")));
         assertEquals("Continue?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());

pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/ParallelTest.java

@@ -24,10 +24,12 @@
 package org.jenkinsci.plugins.pipeline.modeldefinition;
 
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.Util;
 import hudson.model.Result;
 import hudson.model.Slave;
 import hudson.model.queue.QueueTaskFuture;
 import hudson.slaves.EnvironmentVariablesNodeProperty;
+import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.pipeline.StageStatus;
 import org.jenkinsci.plugins.workflow.actions.TagsAction;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
@@ -415,12 +417,12 @@ public void parallelInput() throws Exception {
         InputAction a = b.getAction(InputAction.class);
         assertEquals(2, a.getExecutions().size());
 
-        InputStepExecution is1 = a.getExecution("One");
+        InputStepExecution is1 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("One")));
         assertEquals("Continue One?", is1.getInput().getMessage());
         assertEquals(0, is1.getInput().getParameters().size());
         assertNull(is1.getInput().getSubmitter());
 
-        InputStepExecution is2 = a.getExecution("Two");
+        InputStepExecution is2 = a.getExecution(StringUtils.capitalize(Util.getDigestOf("Two")));
         assertEquals("Continue Two?", is2.getInput().getMessage());
         assertEquals(0, is2.getInput().getParameters().size());
         assertNull(is2.getInput().getSubmitter());

pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/StageInputTest.java

@@ -25,7 +25,9 @@
 package org.jenkinsci.plugins.pipeline.modeldefinition;
 
 import com.gargoylesoftware.htmlunit.html.*;
+import hudson.Util;
 import hudson.model.queue.QueueTaskFuture;
+import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.pipeline.modeldefinition.parser.RuntimeASTTransformer;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
@@ -60,7 +62,7 @@ public void simpleInput() throws Exception {
         InputAction a = b.getAction(InputAction.class);
         assertEquals(1, a.getExecutions().size());
 
-        InputStepExecution is = a.getExecution("Foo");
+        InputStepExecution is = a.getExecution(StringUtils.capitalize(Util.getDigestOf("foo")));
         assertEquals("Continue?", is.getInput().getMessage());
         assertEquals(0, is.getInput().getParameters().size());
         assertNull(is.getInput().getSubmitter());
@@ -96,7 +98,7 @@ public void simpleInputWithOutsideVarAndFunc() throws Exception {
         InputAction a = b.getAction(InputAction.class);
         assertEquals(1, a.getExecutions().size());
 
-        InputStepExecution is = a.getExecution("Foo");
+        InputStepExecution is = a.getExecution(StringUtils.capitalize(Util.getDigestOf("foo")));
         assertEquals("Continue?", is.getInput().getMessage());
         assertEquals(0, is.getInput().getParameters().size());
         assertNull(is.getInput().getSubmitter());