[#QB-4249] Pre-queue script leaks to REST API users when exception occurs

QuickBuild

Pre-queue script leaks to REST API users when exception occurs

Created: Wednesday 03:00 AM Updated: Yesterday 11:09 PM

Component/s:

None

Affects Version/s:

14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 13.0.45, 13.0.46, 13.0.47, 13.0.48, 13.0.49, 14.0.7, 14.0.8, 14.0.9, 14.0.10, 14.0.11, 10.0.44, 14.0.12, 14.0.13, 14.0.14, 14.0.15, 14.0.16, 14.0.17, 13.0.50, 14.0.18, 14.0.19, 14.0.20, 14.0.21, 14.0.22, 14.0.23, 14.0.25, 14.0.26, 14.0.27, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.7, 14.0.28, 15.0.8, 14.0.29, 15.0.9, 15.0.10, 15.0.11, 15.0.12, 15.0.13, 14.0.30, 15.0.14, 15.0.15, 15.0.16, 15.0.17, 15.0.18, 15.0.19, 15.0.20, 14.0.31, 14.0.32, 15.0.22, 15.0.23, 15.0.24, 15.0.25, 15.0.26, 15.0.27, 15.0.28, 15.0.29, 15.0.31, 15.0.32, 14.0.33, 15.0.33, 15.0.34, 15.0.35, 15.0.36, 15.0.37, 15.0.38, 16.0.0-prerelease, 15.0.39, 15.0.40, 14.0.34, 14.0.35, 15.0.41, 16.0.0, 14.0.36, 14.0.37, 15.0.42, 16.0.1

Fix Version/s:

None

Original Estimate:

Unknown

Remaining Estimate:

Unknown

Time Spent:

Unknown

Description

« Hide

## Problem

When a pre-queue script throws a `QuickbuildException`, REST API users receive the full script content in the error response, which is a security concern.

## Steps to Reproduce

__1. Create configuration with pre-queue script:__

```groovy
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
    throw new QuickbuildException("There is an exception.")
```

__2. Trigger build via REST API:__

```xml
<com.pmease.quickbuild.BuildRequest>
    <configurationId>1</configurationId>
    <variables>
        <entry>
            <string>HAVE_EXCEPTION</string>
            <string>1</string>
        </entry>
    </variables>
</com.pmease.quickbuild.BuildRequest>
```

__3. Current Response (PROBLEM):__

```
Failed to evaluate below expression in configuration 'root/':
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
    throw new QuickbuildException("There is an exception.")
```

__Full script is leaked!__ This exposes internal logic to external users.

## Expected Behavior

Response should only contain the error message, not the script:

```
Build request is ignored as pre-queue script returns error: + message of exception
```

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Robin Shen [18/Mar/26 05:41 AM]

These messages are printed to aid debugging the issue. Otherwise, it will be difficult to find out what is wrong. QB also assumes to be used in a trust environment, as any person with permission to commit code or write script is able to gain full control over QB server.

[ Permlink | « Hide ]

Pham Ngoc Anh [18/Mar/26 06:29 AM]

Could you kindly try the produce step in UI and rest user.
When using UI, QB show "There is an exception."
But when using restapi, it expose all the script in preque script.

[ Permlink | « Hide ]

Robin Shen [18/Mar/26 10:34 PM]

Yes UI suppresses the exception details, and some of our users complains about this, as they can not see the error details, and we plan to change that. Groovy script should not be treated as secret inside the organization after all. If your groovy script contains password or other sensitive data, use secret variable instead.

[ Permlink | « Hide ]

Pham Ngoc Anh [19/Mar/26 08:17 AM]

Thank you for checking this, @Robin Shen. I understand your position - the script details are meant for debugging in a trusted environment, and sensitive data should use secret variables.

[ Permlink | « Hide ]

Robin Shen [19/Mar/26 11:09 PM]

Thanks for your understanding of this.

Change by Robin Shen [19/Mar/26 11:09 PM]
Field	Original Value	New Value
Status	Open [ 1 ]	Closed [ 6 ]
Resolution		Won't Fix [ 2 ]