JENKINS-54273: RAW HTML is shown in maven deployment links since 2.138.2

[bguerin]

No description provided.

[daniel-beck]

I recommend a detailed security review before merging this. A similar PR (re-)introduced a security vulnerability in another plugin, as the input was not actually safe.

[bguerin]

In this plugin the html passed to j:out is built inside the plugin itself :
https://github.com/jenkinsci/maven-deployment-linker-plugin/blob/master/src/main/java/hudson/plugins/mavendeploymentlinker/MavenDeploymentLinkerAction.java

[daniel-beck]

Please think about the data flow here.

The lastIndexOf/substring combination for the link label makes this minimally weird, but it's still really easy to exploit (hence output is starting with Uploading: / in the build log).

Build script that works on any Linux/Unix:

<project>
  <actions/>
  <description></description>
  <keepDependencies>false</keepDependencies>
  <properties/>
  <scm class="hudson.scm.NullSCM"/>
  <canRoam>true</canRoam>
  <disabled>false</disabled>
  <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
  <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
  <triggers/>
  <concurrentBuild>false</concurrentBuild>
  <builders>
    <hudson.tasks.Shell>
      <command>#!/bin/bash
cat &lt;&lt; FOO
Uploading: /&lt;img src=fail onerror=&quot;alert(&apos;the plugin processes the build log, and that needs to be considered untrusted&apos;);&quot;&gt;
FOO</command>
    </hudson.tasks.Shell>
  </builders>
  <publishers>
    <hudson.plugins.mavendeploymentlinker.MavenDeploymentLinkerRecorder plugin="maven-deployment-linker@1.6-SNAPSHOT">
      <regexp></regexp>
    </hudson.plugins.mavendeploymentlinker.MavenDeploymentLinkerRecorder>
  </publishers>
  <buildWrappers/>
</project>

[bguerin]

@daniel-beck added a java.net.URL parsing, if it fails, url will be escaped

[daniel-beck]

To bypass the protection in 3e44fe1:

Building in workspace /…/workspace/JENKINS-54273
[JENKINS-54273] $ /bin/bash /var/folders/39/ggldtdps6034ct7d_y6x4_v80000gn/T/jenkins5535853518735171775.sh
Uploading: https://example.org#/<img src=fail onerror="alert('the plugin processes the build log, and that needs to be considered untrusted');">
Finished: SUCCESS

Unfortunately I'm out of time here, so will not be able to test further attempts to fix this.

FWIW the approach in the plugin appears to be flawed and too cumbersome to make work, it should instead just add the links from the raw data in Jelly, rather than to insert a blob of questionable HTML.

[bguerin]

Agree with your point of view, I did not choose this way at first glance to avoid too many changes.
Will rework on it
Thanks for your time and help !

[bguerin]

PR reworked as suggested by @daniel-beck , his last attack is now harmless

[daniel-beck]

This does not disallow URLs with javascript: scheme, so I expect there's still an XSS vulnerability here.