SECURITY-3559

Author: PierreBtz

src/main/java/com/cloudbees/jenkins/plugins/advisor/BundleUpload.java

@@ -7,6 +7,7 @@
 import com.cloudbees.jenkins.plugins.advisor.client.model.Recipient;
 import com.cloudbees.jenkins.support.SupportPlugin;
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.AsyncPeriodicWork;
 import hudson.model.TaskListener;
 import hudson.security.ACL;
@@ -102,11 +103,12 @@ private File generateBundle() {
             }
         } catch (Exception e) {
             logError(COULD_NOT_SAVE_SUPPORT_BUNDLE, e);
+            var sanitizedMessage = Util.xmlEscape(e.getMessage());
             updateLastBundleResult(
                     config,
                     createTimestampedErrorMessage(
                             "<strong>%s</strong><br/><pre><code>%s</code></pre>",
-                            COULD_NOT_SAVE_SUPPORT_BUNDLE, e.getMessage()));
+                            COULD_NOT_SAVE_SUPPORT_BUNDLE, sanitizedMessage));
             if (file != null && file.exists() && !file.delete()) {
                 log(Level.WARNING, "Could not delete bundle {0}" + file);
             }
@@ -124,22 +126,24 @@ private void executeInternal(String email, File file, String pluginVersion) {
             if (response.getCode() == 200) {
                 updateLastBundleResult(config, createTimestampedInfoMessage(BUNDLE_SUCCESSFULLY_UPLOADED));
             } else {
+                var sanitizedMessage = Util.xmlEscape(response.getMessage());
                 updateLastBundleResult(
                         config,
                         createTimestampedErrorMessage(
                                 "<strong>Bundle upload failed</strong><br/>Server response is: <code>%d - %s</code>",
-                                response.getCode(), response.getMessage()));
+                                response.getCode(), sanitizedMessage));
             }
         } catch (Exception e) {
             log(Level.SEVERE, "Issue while uploading file to bundle upload service: " + e.getMessage());
             log(
                     Level.FINEST,
                     "Exception while uploading file to bundle upload service. Cause: "
                             + ExceptionUtils.getStackTrace(e));
+            var sanitizedMessage = Util.xmlEscape(e.getMessage());
             updateLastBundleResult(
                     config,
                     createTimestampedErrorMessage(
-                            "<strong>Bundle upload failed</strong><br/><pre><code>%s</code></pre>", e.getMessage()));
+                            "<strong>Bundle upload failed</strong><br/><pre><code>%s</code></pre>", sanitizedMessage));
         } finally {
             if (!file.delete()) {
                 log(Level.WARNING, "Could not delete bundle {0}" + file);

src/test/java/com/cloudbees/jenkins/plugins/advisor/BundleUploadTest.java

@@ -153,6 +153,24 @@ void getInitialDelay() {
                 is(equalTo(TimeUnit.MINUTES.toMillis(BundleUpload.INITIAL_DELAY_MINUTES))));
     }
 
+    @WithTimeout(30)
+    @Test
+    void protectsAgainstRogueServer(JenkinsRule j) {
+        var config = AdvisorGlobalConfiguration.getInstance();
+        config.setEmail(TEST_EMAIL);
+        config.setAcceptToS(true);
+
+        wireMock.stubFor(get(urlEqualTo("/api/health")).willReturn(aResponse().withStatus(200)));
+        wireMock.stubFor(post(format(
+                        "/api/users/%s/upload/%s", TEST_EMAIL, j.getInstance().getLegacyInstanceId()))
+                .willReturn(aResponse().withStatus(201).withBody("<img/src/onerror=alert(1)>")));
+
+        runBundleUpload(j);
+
+        // The stored response is properly escaped
+        assertThat(config.getLastBundleResult(), containsString("<code>201 - &lt;img/src/onerror=alert(1)&gt;</code>"));
+    }
+
     /**
      * Runs the {@link BundleUpload} task and waits for it to finish.
      */