[SECURITY-2567]

daniel-beck · daniel-beck · commit 0fc4a1995063 · 2022-06-21T18:22:51.000+02:00
diff --git a/src/main/java/org/jenkinsci/plugins/badge/StatusImage.java b/src/main/java/org/jenkinsci/plugins/badge/StatusImage.java
@@ -7,6 +7,9 @@
 
 package org.jenkinsci.plugins.badge;
 
+import java.net.MalformedURLException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.commons.io.IOUtils;
 import jenkins.model.Jenkins;
 import org.kohsuke.stapler.HttpResponse;
@@ -44,6 +47,7 @@
  * can change any time, we use ETag to skip the actual data transfer if possible.
  */
 class StatusImage implements HttpResponse {
+    public static final Logger LOGGER = Logger.getLogger(StatusImage.class.getName());
     private final byte[] payload;
     private static final String PLGIN_NAME = "embeddable-build-status";
 
@@ -102,7 +106,7 @@ class StatusImage implements HttpResponse {
         if (animatedColorName != null) animatedColorName = StringEscapeUtils.escapeHtml(animatedColorName);
         if (colorName != null) colorName = StringEscapeUtils.escapeHtml(colorName);
         if (style != null) style = StringEscapeUtils.escapeHtml(style);
-        if (link != null) link = StringEscapeUtils.escapeHtml(link);
+        if (link != null) link = StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeHtml(link)); // double-escape because concatenating into an attribute effectively removes one level of quoting
         
         if (baseUrl != null) {
             etag = Jenkins.RESOURCE_PATH + '/' + subject + status + colorName + animatedColorName + style;
@@ -167,7 +171,17 @@ class StatusImage implements HttpResponse {
             }
 
             if (link != null) {
-                linkCode = "<svg onclick=\"window.open('" + link + "');\" style=\"cursor: pointer;\" xmlns";
+                try {
+                    URL url = new URL(link);
+                    final String protocol = url.getProtocol();
+                    if (protocol.equals("http") || protocol.equals("https")) {
+                        linkCode = "<svg onclick=\"window.open(&quot;" + link + "&quot;);\" style=\"cursor: pointer;\" xmlns";
+                    } else {
+                        LOGGER.log(Level.FINE, "Invalid link protocol: " + protocol);
+                    }
+                } catch (MalformedURLException ex) {
+                    LOGGER.log(Level.FINE, "Invalid link URL: " + link, ex);
+                }
             }
 
             try {
