Autolog does not sanitize hg pushlog data

RESOLVED FIXED

Status

Product:
Testing Graveyard
Component:
Autolog
Status:
RESOLVED FIXED
Reported:
6 years ago
Modified:
4 years ago

People

(Reporter: bc, Assigned: bc)

Tracking

Version:
Trunk
Platform:
x86
All

Details

Attachments

(1 attachment)

patch
1.87 KB, patch
jgriffin
: review+
Details | Diff | Splinter Review
(Assignee)

Description

6 years ago 
Autolog does not sanitize hg pushlog data

commit http://hg.mozilla.org/mozilla-central/rev/aea5ae9d8762 contains a message 

Bug 709954 - Fix assertion failure "!cx->isExceptionPending()" with invalid regexp in <input pattern>; r=bz 

The <input pattern> is displayed in the autolog display as an input box.

A minimal change is:

--- a/autolog_server.py
+++ b/autolog_server.py
@@ -588,17 +588,17 @@ class AutologServer(object):
                 pushes[testgroup['revision']] = {
                   'id': '%s-%s' % (testgroup['tree'], testgroup['revision']),
                   'tree': testgroup['tree'],
                   'date':  dateutil.parser.parse(changeset['committer']['date']).strftime("%s"),
                   'pusher': changeset['committer']['name'],
                   'patches': [{
                       'rev': testgroup['revision'],
                       'author': changeset['committer']['name'],
-                      'desc': changeset['message'],
+                      'desc': changeset['message'].replace('<', '&lt;'),
                       'tags': {
                         'length': 0,
                         'prevObject': {
                         'length': 0
                         }
                       }
                     }]
                 }
@@ -649,17 +649,17 @@ class AutologServer(object):
                   # used by TBPL.
                   # XXX correctly populate tags
                   # XXX include files in push info?
                   toprev = '0'
                   for commit in push_data[testgroup['tree']][pushid]['changesets'][::-1]:
                     pushes[testgroup['revision']]['patches'].append({
                       'rev': commit['node'][0:12],
                       'author': commit['author'],
-                      'desc': commit['desc'],
+                      'desc': commit['desc'].replace('<', '&lt;'),
                       'tags': {
                         'length': 0,
                         'prevObject': {
                         'length': 0
                         }
                       }
                     })
                   toprev = pushes[testgroup['revision']]['patches'][0]['rev']

to be safe though, we might want to sanitize the other properties of the patches dict.
 (Assignee)

Comment 1

6 years ago 
Created attachment 681859 [details] [diff] [review]
patch
Attachment #681859 - Flags: review?(jgriffin)

Comment 2

6 years ago 
Comment on attachment 681859 [details] [diff] [review]
patch

Review of attachment 681859 [details] [diff] [review]:
-----------------------------------------------------------------

Cool, thanks Bob.
Attachment #681859 - Flags: review?(jgriffin) → review+
 (Assignee)

Comment 3

6 years ago 
http://hg.mozilla.org/automation/autolog/rev/e289fa4e40c8
Status: NEW → RESOLVED
Last Resolved: 6 years ago
QA Contact: bclary
Resolution: --- → FIXED

Updated

6 years ago
Assignee: nobody → bclary
QA Contact: bclary
Product: Testing → Testing Graveyard
You need to log in before you can comment on or make changes to this bug.