|
18 | 18 | import java.util.*; |
19 | 19 | import java.util.logging.Level; |
20 | 20 | import java.util.logging.Logger; |
| 21 | +import java.util.regex.Pattern; |
21 | 22 | import javax.servlet.ServletException; |
22 | 23 | import javax.servlet.http.HttpServletRequest; |
23 | 24 |
|
|
28 | 29 | import jenkins.triggers.SCMTriggerItem; |
29 | 30 | import org.apache.commons.lang.StringUtils; |
30 | 31 | import static org.apache.commons.lang.StringUtils.isNotEmpty; |
| 32 | + |
31 | 33 | import org.eclipse.jgit.transport.RemoteConfig; |
32 | 34 | import org.eclipse.jgit.transport.URIish; |
33 | 35 | import org.kohsuke.stapler.*; |
@@ -115,7 +117,10 @@ public HttpResponse doNotifyCommit(HttpServletRequest request, @QueryParameter(r |
115 | 117 | @QueryParameter(required=false) String sha1) throws ServletException, IOException { |
116 | 118 | lastURL = url; |
117 | 119 | lastBranches = branches; |
118 | | - lastSHA1 = sha1; |
| 120 | + if(StringUtils.isNotBlank(sha1)&&!SHA1_PATTERN.matcher(sha1.trim()).matches()){ |
| 121 | + return HttpResponses.error(SC_BAD_REQUEST, new IllegalArgumentException("Illegal SHA1")); |
| 122 | + } |
| 123 | + lastSHA1 = cleanupSha1(sha1); |
119 | 124 | lastBuildParameters = null; |
120 | 125 | GitStatus.clearLastStaticBuildParameters(); |
121 | 126 | URIish uri; |
@@ -316,6 +321,7 @@ public static class JenkinsAbstractProjectListener extends Listener { |
316 | 321 | */ |
317 | 322 | @Override |
318 | 323 | public List<ResponseContributor> onNotifyCommit(String origin, URIish uri, String sha1, List<ParameterValue> buildParameters, String... branches) { |
| 324 | + sha1 = cleanupSha1(sha1); |
319 | 325 | if (LOGGER.isLoggable(Level.FINE)) { |
320 | 326 | LOGGER.log(Level.FINE, "Received notification from {0} for uri = {1} ; sha1 = {2} ; branches = {3}", |
321 | 327 | new Object[]{StringUtils.defaultIfBlank(origin, "?"), uri, sha1, Arrays.toString(branches)}); |
@@ -594,15 +600,27 @@ public static class CommitHookCause extends Cause { |
594 | 600 | public final String sha1; |
595 | 601 |
|
596 | 602 | public CommitHookCause(String sha1) { |
597 | | - this.sha1 = sha1; |
| 603 | + this.sha1 = cleanupSha1(sha1); |
598 | 604 | } |
599 | 605 |
|
600 | 606 | @Override |
601 | 607 | public String getShortDescription() { |
602 | | - return "commit notification " + sha1; |
| 608 | + return "commit notification " + cleanupSha1(sha1); |
603 | 609 | } |
604 | 610 | } |
605 | 611 |
|
| 612 | + public static final Pattern SHA1_PATTERN = Pattern.compile("[a-fA-F0-9]++"); // we should have {40} but some compact sha1 |
| 613 | + |
| 614 | + public static final Pattern CLEANER_SHA1_PATTERN = Pattern.compile("[^a-fA-F0-9]"); |
| 615 | + |
| 616 | + /** |
| 617 | + * @param sha1 the String to cleanup |
| 618 | + * @return the String with all non hexa characters removed |
| 619 | + */ |
| 620 | + private static String cleanupSha1(String sha1){ |
| 621 | + return sha1 == null?null:CLEANER_SHA1_PATTERN.matcher(sha1.trim()).replaceAll(""); |
| 622 | + } |
| 623 | + |
606 | 624 | private static final Logger LOGGER = Logger.getLogger(GitStatus.class.getName()); |
607 | 625 | private static final int MAX_REPORTED_CONTRIBUTORS = 10; |
608 | 626 |
|
|
0 commit comments