Sanitise various parameters before passing to groovy sh (#873)

🤞🏻 Signed-off-by: Stewart X Addison <[email protected]>
adoptium · Jan 8, 2024 · 8f12123 · 8f12123
1 parent 7a9dc7a
commit 8f12123
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/pipelines/build/common/build_base_file.groovy b/pipelines/build/common/build_base_file.groovy
@@ -906,6 +906,11 @@ class Builder implements Serializable {
  //Remove the previous artifacts
  try {
  context.timeout(time: pipelineTimeouts.REMOVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') {
+ if ( ! ( "${config.TARGET_OS}" ==~ /^[A-Za-z0-9\/\.-_]$/ ) ||
+ ! ( "${config.ARCHITECTURE}" ==~ /^[A-Za-z0-9\/\.-_]$/ ) ||
+ ! ( "${config.VARIANT}" ==~ /^[A-Za-z0-9\/\.-_]$/ ) ) {
+ throw new Exception("[ERROR] Dubious character in TARGET_OS, ARCHITECTURE or VARIANT - aborting");
+ }
  context.sh "rm -rf target/${config.TARGET_OS}/${config.ARCHITECTURE}/${config.VARIANT}/"
  }
  } catch (FlowInterruptedException e) {

diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -1883,7 +1883,12 @@ class Build {
  label = 'codebuild'
  }
 
+
  context.println "[NODE SHIFT] MOVING INTO DOCKER NODE MATCHING LABELNAME ${label}..."
+ if ( ! ( "${buildConfig.DOCKER_IMAGE}" ==~ /^[A-Za-z0-9\/\.-_]*$/ ) ||
+ ! ( "${buildConfig.DOCKER_ARGS}" ==~ /^[A-Za-z0-9\/\.-_]*$/ ) ) {
+ throw new Exception("[ERROR] Dubious characters in DOCKER* parameters ${buildConfig.DOCKER_IMAGE}/${buildConfig.DOCKER_ARGS} - aborting");
+ }
  context.node(label) {
  addNodeToBuildDescription()
  // Cannot clean workspace from inside docker container
@@ -1911,6 +1916,7 @@ class Build {
  if (buildConfig.DOCKER_CREDENTIAL) {
  context.docker.withRegistry(buildConfig.DOCKER_REGISTRY, buildConfig.DOCKER_CREDENTIAL) {
  if (buildConfig.DOCKER_ARGS) {
+
  context.sh(script: "docker pull ${buildConfig.DOCKER_IMAGE} ${buildConfig.DOCKER_ARGS}")
  } else {
  context.docker.image(buildConfig.DOCKER_IMAGE).pull()

diff --git a/pipelines/build/openjdk_pipeline.groovy b/pipelines/build/openjdk_pipeline.groovy
@@ -32,6 +32,9 @@ node('worker') {
  if (params.jdkVersion == '8' && params.targetConfigurations.contains('arm32Linux')) {
  propertyFile = 'testenv_arm32.properties'
  }
+ if ( ! ( "${params.aqareference}" ==~ /^[A-Za-z0-9\/\.-_]$/ ) ) {
+ throw new Exception("[ERROR] Dubious characters in aqa reference - aborting");
+ }
  sh("curl -Os https://raw.githubusercontent.com/adoptium/aqa-tests/${params.aqaReference}/testenv/${propertyFile}")
 
  def buildTag = params.scmReference