SECURITY-3047

(cherry picked from commit 5f3d83c)
jenkinsci · May 12, 2023 · 45175e1 · 45175e1
1 parent ef28e88
commit 45175e1
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 18 deletions.
diff --git a/src/main/java/hudson/plugins/testng/parser/ResultsParser.java b/src/main/java/hudson/plugins/testng/parser/ResultsParser.java
@@ -1,6 +1,7 @@
 package hudson.plugins.testng.parser;
 
 import hudson.FilePath;
+import hudson.Util;
 import hudson.plugins.testng.results.ClassResult;
 import hudson.plugins.testng.results.MethodResult;
 import hudson.plugins.testng.results.MethodResultException;
@@ -314,7 +315,7 @@ private void startLine() {
 
     private void endLine() {
         if (currentMethod != null) {
-            reporterOutputBuilder.append(currentLine).append("<br/>");
+            reporterOutputBuilder.append(Util.escape(currentLine)).append("<br/>");
         }
     }
 

diff --git a/src/main/java/hudson/plugins/testng/results/PackageResult.java b/src/main/java/hudson/plugins/testng/results/PackageResult.java
@@ -1,6 +1,7 @@
 package hudson.plugins.testng.results;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import hudson.Util;
 import hudson.model.Run;
 import hudson.plugins.testng.util.FormatUtil;
 import java.util.ArrayList;
@@ -142,19 +143,19 @@ private String getMethodExecutionTableContent(List<MethodResult> mrList) {
 
         for (MethodResult mr : mrList) {
             sb.append("<tr><td align=\"left\">");
-            sb.append("<a href=\"").append(mr.getUpUrl()).append("\">");
-            sb.append(mr.getParent().getName()).append(".").append(mr.getName());
+            sb.append("<a href=\"").append(Util.escape(mr.getUpUrl())).append("\">");
+            sb.append(Util.escape(mr.getParent().getName())).append(".").append(Util.escape(mr.getName()));
             sb.append("</a>");
             sb.append("</td><td align=\"left\">");
-            sb.append(mr.getDescription());
+            sb.append(Util.escape(mr.getDescription()));
             sb.append("</td><td align=\"center\">");
             sb.append(FormatUtil.formatTime(mr.getDuration()));
             sb.append("</td><td align=\"center\">");
             sb.append(mr.getStartedAt());
             sb.append("</td><td align=\"center\"><span class=\"")
                     .append(mr.getCssClass())
                     .append("\">");
-            sb.append(mr.getStatus());
+            sb.append(Util.escape(mr.getStatus()));
             sb.append("</span></td></tr>");
         }
         return sb.toString();

diff --git a/src/main/java/hudson/plugins/testng/util/FormatUtil.java b/src/main/java/hudson/plugins/testng/util/FormatUtil.java
@@ -79,6 +79,25 @@ public static String escapeString(String str) {
         return str;
     }
 
+    public static String escapeJS(String str) {
+        if (str == null) {
+            return "";
+        }
+        StringBuilder buf = new StringBuilder(str.length() + 64);
+        for (int i = 0; i < str.length(); i++) {
+            char ch = str.charAt(i);
+            if (ch == '<') buf.append("&lt;");
+            else if (ch == '>') buf.append("&gt;");
+            else if (ch == '&') buf.append("&amp;");
+            else if (ch == '\'') buf.append("&apos;");
+            else if (ch == '\"') buf.append("&quot;");
+            else if (ch == ':') buf.append("&#58;");
+            else if (ch == '%') buf.append("&#37;");
+            else buf.append(ch);
+        }
+        return buf.toString();
+    }
+
     /**
      * Formats the stack trace for easier readability
      *

diff --git a/src/main/java/hudson/plugins/testng/util/TestResultHistoryUtil.java b/src/main/java/hudson/plugins/testng/util/TestResultHistoryUtil.java
@@ -1,5 +1,6 @@
 package hudson.plugins.testng.util;
 
+import hudson.Util;
 import hudson.model.Run;
 import hudson.plugins.testng.TestNGTestResultBuildAction;
 import hudson.plugins.testng.results.ClassResult;
@@ -108,8 +109,8 @@ private static String printTestsUrls(List<MethodResult> methodResults) {
                         htmlStr.append("</OL></LI>");
                     }
                     firstGroup = false;
-                    testName = methodResult.getParentTestName();
-                    suiteName = methodResult.getParentSuiteName();
+                    testName = Util.escape(methodResult.getParentTestName());
+                    suiteName = Util.escape(methodResult.getParentSuiteName());
                     htmlStr.append("<LI style=\"list-style-type:none\"><b>")
                             .append(suiteName)
                             .append(" / ")
@@ -119,12 +120,14 @@ private static String printTestsUrls(List<MethodResult> methodResults) {
                 }
                 htmlStr.append("<LI>");
                 if (methodResult.getParent() instanceof ClassResult) {
-                    htmlStr.append("<a href=\"").append(methodResult.getUpUrl());
+                    htmlStr.append("<a href=\"").append(Util.escape(methodResult.getUpUrl()));
                     htmlStr.append("\">");
-                    htmlStr.append(((ClassResult) methodResult.getParent()).getCanonicalName());
-                    htmlStr.append(".").append(methodResult.getName()).append("</a>");
+                    htmlStr.append(Util.escape(((ClassResult) methodResult.getParent()).getCanonicalName()));
+                    htmlStr.append(".")
+                            .append(Util.escape(methodResult.getName()))
+                            .append("</a>");
                 } else {
-                    htmlStr.append(methodResult.getName());
+                    htmlStr.append(Util.escape(methodResult.getName()));
                 }
                 htmlStr.append("</LI>");
                 testIndex++;

diff --git a/src/main/resources/hudson/plugins/testng/TestNGTestResultBuildAction/reportDetail.groovy b/src/main/resources/hudson/plugins/testng/TestNGTestResultBuildAction/reportDetail.groovy
@@ -1,5 +1,6 @@
 package hudson.plugins.testng.TestNGTestResultBuildAction
 
+import hudson.Functions
 import hudson.plugins.testng.util.FormatUtil
 
 f = namespace(lib.FormTagLib)
@@ -29,12 +30,14 @@ if (my.result.failCount != 0) {
         }
         tbody() {
             for (failedTest in my.result.failedTests) {
+                def failedTestSafeId = Functions.jsStringEscape(failedTest.id)
+                def failedTestSafeUpUrl = Functions.jsStringEscape(failedTest.upUrl)
                 tr() {
                     td(align: "left") {
-                        a(id: "${failedTest.id}-showlink", href:"javascript:showStackTrace('${failedTest.id}', '${failedTest.upUrl}/summary')") {
+                        a(id: "${failedTest.id}-showlink", href:"javascript:showStackTrace('${failedTestSafeId}', '${failedTestSafeUpUrl}/summary')") {
                             text(">>>")
                         }
-                        a(style: "display:none", id: "${failedTest.id}-hidelink", href:"javascript:hideStackTrace('${failedTest.id}')") {
+                        a(style: "display:none", id: "${failedTest.id}-hidelink", href:"javascript:hideStackTrace('${failedTestSafeId}')") {
                             text("<<<")
                         }
                         text(" ")
@@ -114,7 +117,7 @@ table(id:"all-tbl", border:"1px", class:"pane sortable") {
             def prevPkg = pkg.previousResult
             tr() {
                 td(align: "left") {
-                    a(href:"${pkg.name}") { text("${pkg.name}") }
+                    a(href:"${FormatUtil.escapeJS(pkg.name)}") { text("${pkg.name}") }
                 }
                 td(align: "center") {
                     text("${FormatUtil.formatTime(pkg.duration)}")
@@ -168,13 +171,15 @@ def printMethods(type, tableName, methodList, showMoreArrows) {
         }
         tbody() {
             for (method in methodList) {
+                def methodSafeId = Functions.jsStringEscape(method.id)
+                def methodSafeUpUrl = Functions.jsStringEscape(method.upUrl)
                 tr() {
                     td(align: "left") {
                         if (showMoreArrows) {
-                            a(id: "${method.id}-showlink", href:"javascript:showStackTrace('${method.id}', '${method.upUrl}/summary')") {
+                            a(id: "${method.id}-showlink", href:"javascript:showStackTrace('${methodSafeId}', '${methodSafeUpUrl}/summary')") {
                                 text(">>>")
                             }
-                            a(style: "display:none", id: "${method.id}-hidelink", href:"javascript:hideStackTrace('${method.id}')") {
+                            a(style: "display:none", id: "${method.id}-hidelink", href:"javascript:hideStackTrace('${methodSafeId}')") {
                                 text("<<<")
                             }
                             text(" ")

diff --git a/src/main/resources/hudson/plugins/testng/results/ClassResult/reportDetail.groovy b/src/main/resources/hudson/plugins/testng/results/ClassResult/reportDetail.groovy
@@ -1,5 +1,6 @@
 package hudson.plugins.testng.results.ClassResult
 
+import hudson.Functions
 import hudson.plugins.testng.util.FormatUtil
 import org.apache.commons.lang.StringUtils
 
@@ -43,6 +44,7 @@ for (group in my.testRunMap.values()) {
                 }
                 tbody() {
                     for(method in group.testMethods) {
+                        def methodJsSafeName = Functions.jsStringEscape(method.safeName)
                         tr() {
                             td(align:"left") {
                                 a(href:"${method.upUrl}") {
@@ -51,7 +53,7 @@ for (group in my.testRunMap.values()) {
                                 if (method.groups || method.testInstanceName || method.parameters?.size() > 0) {
                                     div(id:"${method.safeName}_1", style:"display:inline") {
                                         text(" (")
-                                        a(href:"javascript:showMore(\"${method.safeName}\")") {
+                                        a(href:"javascript:showMore(\"${methodJsSafeName}\")") {
                                             raw("&hellip;")
                                         }
                                         text(")")

diff --git a/src/main/resources/hudson/plugins/testng/results/MethodResult/summary.jelly b/src/main/resources/hudson/plugins/testng/results/MethodResult/summary.jelly
@@ -13,7 +13,7 @@
             <j:otherwise>
                 <j:if test="${it.errorStackTrace != null}">
                     <h3>Stack Trace</h3>
-                    <pre><j:out value="${it.errorStackTrace}"/></pre>
+                    <pre><st:out value="${it.errorStackTrace}"/></pre>
                 </j:if>
             </j:otherwise>
       </j:choose>