diff --git a/Jenkinsfile b/Jenkinsfile index 051c74f70..7ca238daf 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -135,8 +135,6 @@ pipeline { environment { JAVA_HOME_DIR = getJavaHomePath() GRADLE_DIR = ".gradle" - DMC_USER = credentials('MLBUILD_USER') - DMC_PASSWORD = credentials('MLBUILD_PASSWORD') PLATFORM = "linux/amd64" MARKLOGIC_INSTALL_CONVERTERS = "true" } @@ -189,14 +187,19 @@ pipeline { } } steps { - sh label: 'publish', script: '''#!/bin/bash - export JAVA_HOME=$JAVA_HOME_DIR - export GRADLE_USER_HOME=$WORKSPACE/$GRADLE_DIR - export PATH=$GRADLE_USER_HOME:$JAVA_HOME/bin:$PATH - cp ~/.gradle/gradle.properties $GRADLE_USER_HOME; - cd java-client-api - ./gradlew publish - ''' + withCredentials([ + string(credentialsId: 'MLBUILD_USER', variable: 'DMC_USER'), + string(credentialsId: 'MLBUILD_PASSWORD', variable: 'DMC_PASSWORD') + ]) { + sh label: 'publish', script: '''#!/bin/bash + export JAVA_HOME=$JAVA_HOME_DIR + export GRADLE_USER_HOME=$WORKSPACE/$GRADLE_DIR + export PATH=$GRADLE_USER_HOME:$JAVA_HOME/bin:$PATH + cp ~/.gradle/gradle.properties $GRADLE_USER_HOME; + cd java-client-api + ./gradlew publish + ''' + } } post { always { @@ -226,7 +229,14 @@ pipeline { steps { script { - def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',') + // Validate MARKLOGIC_IMAGE_TAGS to prevent argument injection via user-supplied image tag values; + // each entry is validated individually after trimming to reject empty values and tags + // containing spaces or other shell-injectable characters + def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',').collect { it.trim() } + def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[a-z0-9]+(?:[._-][a-z0-9]+)*(?::[A-Za-z0-9_][A-Za-z0-9_.-]{0,127})?$/) } + if (!invalidTags.isEmpty()) { + error("Invalid MARKLOGIC_IMAGE_TAGS entries: ${invalidTags}. Expected comma-delimited docker image refs like 'marklogic-server-ubi:latest-12'") + } def imagePrefix = 'ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/' imageTags.each { tag ->