From 35dcfdd0c20dc1f3e08c11aa28d277e898996994 Mon Sep 17 00:00:00 2001 From: Chas Honton Date: Sun, 4 Dec 2022 11:59:50 -0800 Subject: [PATCH] Remediate CVE-2022-27204 by removing capability to use arbitrary URL to fetch properties. (#61) The propertyFile param can no longer be a URL and must be a file path. The URL capability was not a documented feature. --- .../ExtendedChoiceParameterDefinition.java | 53 ++++--------------- 1 file changed, 11 insertions(+), 42 deletions(-) diff --git a/src/main/java/com/cwctravel/hudson/plugins/extended_choice_parameter/ExtendedChoiceParameterDefinition.java b/src/main/java/com/cwctravel/hudson/plugins/extended_choice_parameter/ExtendedChoiceParameterDefinition.java index 645cc77c..f098c3b3 100644 --- a/src/main/java/com/cwctravel/hudson/plugins/extended_choice_parameter/ExtendedChoiceParameterDefinition.java +++ b/src/main/java/com/cwctravel/hudson/plugins/extended_choice_parameter/ExtendedChoiceParameterDefinition.java @@ -47,7 +47,6 @@ import org.acegisecurity.Authentication; import org.acegisecurity.context.SecurityContextHolder; import org.apache.commons.codec.digest.DigestUtils; -import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.apache.tools.ant.BuildException; import org.apache.tools.ant.Project; @@ -137,12 +136,11 @@ public FormValidation doCheckPropertyFile(@QueryParameter final String propertyF property.setFile(prop); } else { - URL propertyFileUrl = new URL(propertyFile); - property.setUrl(propertyFileUrl); + return FormValidation.warning(Messages.ExtendedChoiceParameterDefinition_PropertyFileDoesntExist(), propertyFile); } property.execute(); } - catch(MalformedURLException | BuildException e) { + catch(BuildException e) { return FormValidation.warning(Messages.ExtendedChoiceParameterDefinition_PropertyFileDoesntExist(), propertyFile); } @@ -657,23 +655,12 @@ private String computeValue(String value, String propertyFilePath, String proper try { String resolvedPropertyFilePath = expandVariables(propertyFilePath); File propertyFile = new File(resolvedPropertyFilePath); - if(propertyFile.exists()) { - Project project = new Project(); - Property property = new Property(); - property.setProject(project); - property.setFile(propertyFile); - property.execute(); - return project.getProperty(propertyKey); - } - else { - Project project = new Project(); - Property property = new Property(); - property.setProject(project); - URL propertyFileUrl = new URL(resolvedPropertyFilePath); - property.setUrl(propertyFileUrl); - property.execute(); - return project.getProperty(propertyKey); - } + Project project = new Project(); + Property property = new Property(); + property.setProject(project); + property.setFile(propertyFile); + property.execute(); + return project.getProperty(propertyKey); } catch(Exception e) { LOGGER.log(Level.SEVERE, e.getMessage(), e); @@ -938,28 +925,10 @@ private ArrayList columnIndicesForDropDowns(String[] headerColumns) { Map> calculateChoicesByDropdownId() throws Exception { String resolvedPropertyFile = expandVariables(propertyFile); File file = new File(resolvedPropertyFile); - List fileLines = Collections.emptyList(); + List fileLines; CSVParser csvParser = new CSVParserBuilder().withSeparator('\t').build(); - if(file.isFile()) { - CSVReader csvReader = null; - try { - csvReader = new CSVReaderBuilder(new InputStreamReader(Files.newInputStream(file.toPath()), StandardCharsets.UTF_8)).withCSVParser(csvParser).build(); - fileLines = csvReader.readAll(); - } - finally { - IOUtils.closeQuietly(csvReader); - } - } - else { - URL propertyFileUrl = new URL(resolvedPropertyFile); - CSVReader csvReader = null; - try { - csvReader = new CSVReaderBuilder(new InputStreamReader(propertyFileUrl.openStream(), StandardCharsets.UTF_8)).withCSVParser(csvParser).build(); - fileLines = csvReader.readAll(); - } - finally { - IOUtils.closeQuietly(csvReader); - } + try(CSVReader csvReader = new CSVReaderBuilder(new InputStreamReader(Files.newInputStream(file.toPath()), StandardCharsets.UTF_8)).withCSVParser(csvParser).build();) { + fileLines = csvReader.readAll(); } if(fileLines.size() < 2) {