Merge pull request #6 from jglick/className-JENKINS-68544

[JENKINS-68544] `\Q…\E` unsafe if input might contain `\E`

Author: jglick

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java

@@ -49,6 +49,7 @@
 import java.util.logging.Logger;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.regex.Pattern;
 import org.apache.commons.io.IOUtils;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
 import org.jenkinsci.plugins.workflow.cps.GlobalVariable;
@@ -322,7 +323,7 @@ private static String readResource(FilePath file, @CheckForNull String encoding)
                                     continue;
                                 }
                                 for (FilePath groovy : root.list("**/*.groovy")) {
-                                    String clazz = groovy.getRemote().replaceFirst("^\\Q" + root.getRemote() + "\\E[/\\\\](.+)[.]groovy", "$1").replace('/', '.').replace('\\', '.');
+                                    String clazz = className(groovy.getRemote(), root.getRemote());
                                     scripts.put(clazz, groovy.readToString()); // TODO no idea what encoding the Groovy compiler uses
                                 }
                             }
@@ -335,6 +336,10 @@ private static String readResource(FilePath file, @CheckForNull String encoding)
             return scripts;
         }
 
+        static String className(String groovy, String root) {
+            return groovy.replaceFirst("^" + Pattern.quote(root) + "[/\\\\](.+)[.]groovy", "$1").replace('/', '.').replace('\\', '.');
+        }
+
     }
 
     @Extension public static class Copier extends FlowCopier.ByRun {

src/test/java/org/jenkinsci/plugins/workflow/libs/LibraryAdderTest.java

@@ -30,12 +30,10 @@
 import hudson.model.Result;
 import hudson.plugins.git.BranchSpec;
 import hudson.plugins.git.GitSCM;
-import hudson.plugins.git.SubmoduleConfig;
 import hudson.plugins.git.UserRemoteConfig;
-import hudson.plugins.git.extensions.GitSCMExtension;
-import hudson.slaves.WorkspaceList;
-import hudson.scm.SubversionSCM;
 import hudson.scm.ChangeLogSet;
+import hudson.scm.SubversionSCM;
+import hudson.slaves.WorkspaceList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
@@ -45,25 +43,28 @@
 import jenkins.plugins.git.GitSampleRepoRule;
 import jenkins.scm.impl.subversion.SubversionSCMSource;
 import jenkins.scm.impl.subversion.SubversionSampleRepoRule;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.GlobalVariable;
 import org.jenkinsci.plugins.workflow.cps.global.GrapeTest;
 import org.jenkinsci.plugins.workflow.cps.global.UserDefinedGlobalVariable;
 import org.jenkinsci.plugins.workflow.cps.replay.ReplayAction;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 import org.junit.ClassRule;
-import org.junit.Test;
 import org.junit.Rule;
+import org.junit.Test;
 import org.jvnet.hudson.test.BuildWatcher;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.TestExtension;
+import org.jvnet.hudson.test.WithoutJenkins;
 import org.jvnet.hudson.test.recipes.LocalData;
 
-import static org.hamcrest.Matchers.nullValue;
-
 public class LibraryAdderTest {
 
     @ClassRule public static BuildWatcher buildWatcher = new BuildWatcher();
@@ -103,7 +104,7 @@ public class LibraryAdderTest {
             new SCMRetriever(
                     new GitSCM(Collections.singletonList(new UserRemoteConfig(sampleRepo.fileUrl(), null, null, null)),
                             Collections.singletonList(new BranchSpec("${library.stuff.version}")),
-                            false, Collections.<SubmoduleConfig>emptyList(), null, null, Collections.<GitSCMExtension>emptyList())));
+                            null, null, Collections.emptyList())));
         stuff.setDefaultVersion("master");
         stuff.setImplicit(true);
         GlobalLibraries.get().setLibraries(Collections.singletonList(stuff));
@@ -472,4 +473,12 @@ public void correctLibraryDirectoryUsedWhenResumingOldBuild() throws Exception {
         r.assertLogContains("called Foo", b);
     }
 
+    @Issue("JENKINS-68544")
+    @WithoutJenkins
+    @Test public void className() {
+        assertThat(LibraryAdder.LoadedLibraries.className("/path/to/lib/src/some/pkg/Type.groovy", "/path/to/lib/src"), is("some.pkg.Type"));
+        assertThat(LibraryAdder.LoadedLibraries.className("C:\\path\\to\\lib\\src\\some\\pkg\\Type.groovy", "C:\\path\\to\\lib\\src"), is("some.pkg.Type"));
+        assertThat(LibraryAdder.LoadedLibraries.className("C:\\path\\to\\Extra\\lib\\src\\some\\pkg\\Type.groovy", "C:\\path\\to\\Extra\\lib\\src"), is("some.pkg.Type"));
+    }
+
 }