|
If you were logged in you would be able to see more operations.
|
|
|
QuickBuild
Created: Wednesday 03:00 AM
Updated: Yesterday 11:09 PM
|
|
| Component/s: |
None
|
| Affects Version/s: |
14.0.0,
14.0.1,
14.0.2,
14.0.3,
14.0.4,
14.0.5,
13.0.45,
13.0.46,
13.0.47,
13.0.48,
13.0.49,
14.0.7,
14.0.8,
14.0.9,
14.0.10,
14.0.11,
10.0.44,
14.0.12,
14.0.13,
14.0.14,
14.0.15,
14.0.16,
14.0.17,
13.0.50,
14.0.18,
14.0.19,
14.0.20,
14.0.21,
14.0.22,
14.0.23,
14.0.25,
14.0.26,
14.0.27,
15.0.0,
15.0.1,
15.0.2,
15.0.3,
15.0.4,
15.0.5,
15.0.7,
14.0.28,
15.0.8,
14.0.29,
15.0.9,
15.0.10,
15.0.11,
15.0.12,
15.0.13,
14.0.30,
15.0.14,
15.0.15,
15.0.16,
15.0.17,
15.0.18,
15.0.19,
15.0.20,
14.0.31,
14.0.32,
15.0.22,
15.0.23,
15.0.24,
15.0.25,
15.0.26,
15.0.27,
15.0.28,
15.0.29,
15.0.31,
15.0.32,
14.0.33,
15.0.33,
15.0.34,
15.0.35,
15.0.36,
15.0.37,
15.0.38,
16.0.0-prerelease,
15.0.39,
15.0.40,
14.0.34,
14.0.35,
15.0.41,
16.0.0,
14.0.36,
14.0.37,
15.0.42,
16.0.1
|
| Fix Version/s: |
None
|
|
|
Original Estimate:
|
Unknown
|
Remaining Estimate:
|
Unknown
|
Time Spent:
|
Unknown
|
|
|
## Problem
When a pre-queue script throws a `QuickbuildException`, REST API users receive the full script content in the error response, which is a security concern.
## Steps to Reproduce
__1. Create configuration with pre-queue script:__
```groovy
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
throw new QuickbuildException("There is an exception.")
```
__2. Trigger build via REST API:__
```xml
<com.pmease.quickbuild.BuildRequest>
<configurationId>1</configurationId>
<variables>
<entry>
<string>HAVE_EXCEPTION</string>
<string>1</string>
</entry>
</variables>
</com.pmease.quickbuild.BuildRequest>
```
__3. Current Response (PROBLEM):__
```
Failed to evaluate below expression in configuration 'root/':
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
throw new QuickbuildException("There is an exception.")
```
__Full script is leaked!__ This exposes internal logic to external users.
## Expected Behavior
Response should only contain the error message, not the script:
```
Build request is ignored as pre-queue script returns error: + message of exception
```
|
|
Description
|
## Problem
When a pre-queue script throws a `QuickbuildException`, REST API users receive the full script content in the error response, which is a security concern.
## Steps to Reproduce
__1. Create configuration with pre-queue script:__
```groovy
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
throw new QuickbuildException("There is an exception.")
```
__2. Trigger build via REST API:__
```xml
<com.pmease.quickbuild.BuildRequest>
<configurationId>1</configurationId>
<variables>
<entry>
<string>HAVE_EXCEPTION</string>
<string>1</string>
</entry>
</variables>
</com.pmease.quickbuild.BuildRequest>
```
__3. Current Response (PROBLEM):__
```
Failed to evaluate below expression in configuration 'root/':
groovy:
import com.pmease.quickbuild.QuickbuildException
if (vars.getValue("HAVE_EXCEPTION")=="1")
throw new QuickbuildException("There is an exception.")
```
__Full script is leaked!__ This exposes internal logic to external users.
## Expected Behavior
Response should only contain the error message, not the script:
```
Build request is ignored as pre-queue script returns error: + message of exception
```
|
Show » |
|
Change by Robin Shen [19/Mar/26 11:09 PM]
|
| Field |
Original Value |
New Value |
|
Status
|
Open
[ 1
]
|
Closed
[ 6
]
|
|
Resolution
|
|
Won't Fix
[ 2
]
|
|
Bug
Closed
Critical
Pre-queue script leaks to REST API users when exception occurs