| << Back to previous view |
|
[QB-4249] Pre-queue script leaks to REST API users when exception occurs
|
|
| Status: | Closed |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 13.0.45, 13.0.46, 13.0.47, 13.0.48, 13.0.49, 14.0.7, 14.0.8, 14.0.9, 14.0.10, 14.0.11, 10.0.44, 14.0.12, 14.0.13, 14.0.14, 14.0.15, 14.0.16, 14.0.17, 13.0.50, 14.0.18, 14.0.19, 14.0.20, 14.0.21, 14.0.22, 14.0.23, 14.0.25, 14.0.26, 14.0.27, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.7, 14.0.28, 15.0.8, 14.0.29, 15.0.9, 15.0.10, 15.0.11, 15.0.12, 15.0.13, 14.0.30, 15.0.14, 15.0.15, 15.0.16, 15.0.17, 15.0.18, 15.0.19, 15.0.20, 14.0.31, 14.0.32, 15.0.22, 15.0.23, 15.0.24, 15.0.25, 15.0.26, 15.0.27, 15.0.28, 15.0.29, 15.0.31, 15.0.32, 14.0.33, 15.0.33, 15.0.34, 15.0.35, 15.0.36, 15.0.37, 15.0.38, 16.0.0-prerelease, 15.0.39, 15.0.40, 14.0.34, 14.0.35, 15.0.41, 16.0.0, 14.0.36, 14.0.37, 15.0.42, 16.0.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical |
| Reporter: | Pham Ngoc Anh | Assigned To: | Robin Shen |
| Resolution: | Won't Fix | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
## Problem
When a pre-queue script throws a `QuickbuildException`, REST API users receive the full script content in the error response, which is a security concern. ## Steps to Reproduce __1. Create configuration with pre-queue script:__ ```groovy groovy: import com.pmease.quickbuild.QuickbuildException if (vars.getValue("HAVE_EXCEPTION")=="1") throw new QuickbuildException("There is an exception.") ``` __2. Trigger build via REST API:__ ```xml <com.pmease.quickbuild.BuildRequest> <configurationId>1</configurationId> <variables> <entry> <string>HAVE_EXCEPTION</string> <string>1</string> </entry> </variables> </com.pmease.quickbuild.BuildRequest> ``` __3. Current Response (PROBLEM):__ ``` Failed to evaluate below expression in configuration 'root/': groovy: import com.pmease.quickbuild.QuickbuildException if (vars.getValue("HAVE_EXCEPTION")=="1") throw new QuickbuildException("There is an exception.") ``` __Full script is leaked!__ This exposes internal logic to external users. ## Expected Behavior Response should only contain the error message, not the script: ``` Build request is ignored as pre-queue script returns error: + message of exception ``` |
| Comments |
| Comment by Robin Shen [ 18/Mar/26 05:41 AM ] |
| These messages are printed to aid debugging the issue. Otherwise, it will be difficult to find out what is wrong. QB also assumes to be used in a trust environment, as any person with permission to commit code or write script is able to gain full control over QB server. |
| Comment by Pham Ngoc Anh [ 18/Mar/26 06:29 AM ] |
|
Could you kindly try the produce step in UI and rest user.
When using UI, QB show "There is an exception." But when using restapi, it expose all the script in preque script. |
| Comment by Robin Shen [ 18/Mar/26 10:34 PM ] |
| Yes UI suppresses the exception details, and some of our users complains about this, as they can not see the error details, and we plan to change that. Groovy script should not be treated as secret inside the organization after all. If your groovy script contains password or other sensitive data, use secret variable instead. |
| Comment by Pham Ngoc Anh [ 19/Mar/26 08:17 AM ] |
|
Thank you for checking this, @Robin Shen. I understand your position - the script details are meant for debugging in a trusted environment, and sensitive data should use secret variables.
|
| Comment by Robin Shen [ 19/Mar/26 11:09 PM ] |
| Thanks for your understanding of this. |