From dd256284a05295bfa178272e661a889d9dc8febf Mon Sep 17 00:00:00 2001 From: Rita Chen Date: Wed, 24 Jun 2026 13:10:16 -0400 Subject: [PATCH 1/4] MLE-30244 move Jenkins registry credentials to the publish stage and validate the MARKLOGIC_IMAGE_TAGS build parameter --- Jenkinsfile | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 051c74f70..387f72e09 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -135,8 +135,6 @@ pipeline { environment { JAVA_HOME_DIR = getJavaHomePath() GRADLE_DIR = ".gradle" - DMC_USER = credentials('MLBUILD_USER') - DMC_PASSWORD = credentials('MLBUILD_PASSWORD') PLATFORM = "linux/amd64" MARKLOGIC_INSTALL_CONVERTERS = "true" } @@ -189,14 +187,20 @@ pipeline { } } steps { - sh label: 'publish', script: '''#!/bin/bash - export JAVA_HOME=$JAVA_HOME_DIR - export GRADLE_USER_HOME=$WORKSPACE/$GRADLE_DIR - export PATH=$GRADLE_USER_HOME:$JAVA_HOME/bin:$PATH - cp ~/.gradle/gradle.properties $GRADLE_USER_HOME; - cd java-client-api - ./gradlew publish - ''' + withCredentials([usernamePassword( + credentialsId: 'MLBUILD_USER', + usernameVariable: 'DMC_USER', + passwordVariable: 'DMC_PASSWORD' + )]) { + sh label: 'publish', script: '''#!/bin/bash + export JAVA_HOME=$JAVA_HOME_DIR + export GRADLE_USER_HOME=$WORKSPACE/$GRADLE_DIR + export PATH=$GRADLE_USER_HOME:$JAVA_HOME/bin:$PATH + cp ~/.gradle/gradle.properties $GRADLE_USER_HOME; + cd java-client-api + ./gradlew publish + ''' + } } post { always { @@ -226,6 +230,10 @@ pipeline { steps { script { + // Validate MARKLOGIC_IMAGE_TAGS to prevent argument injection via user-supplied image tag values + if (!(params.MARKLOGIC_IMAGE_TAGS ==~ /^[a-zA-Z0-9\-.:,\/ ]+$/)) { + error("Invalid MARKLOGIC_IMAGE_TAGS parameter value: must match ^[a-zA-Z0-9\\-.:,\\/ ]+\$") + } def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',') def imagePrefix = 'ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/' From cfef3bf044c4ec5dc5ad6cf6daba1eb906d22887 Mon Sep 17 00:00:00 2001 From: Rita Chen Date: Wed, 24 Jun 2026 13:30:03 -0400 Subject: [PATCH 2/4] MLE-30244 refine the changes as the copilot reviews --- Jenkinsfile | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 387f72e09..694b33d61 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -187,11 +187,10 @@ pipeline { } } steps { - withCredentials([usernamePassword( - credentialsId: 'MLBUILD_USER', - usernameVariable: 'DMC_USER', - passwordVariable: 'DMC_PASSWORD' - )]) { + withCredentials([ + string(credentialsId: 'MLBUILD_USER', variable: 'DMC_USER'), + string(credentialsId: 'MLBUILD_PASSWORD', variable: 'DMC_PASSWORD') + ]) { sh label: 'publish', script: '''#!/bin/bash export JAVA_HOME=$JAVA_HOME_DIR export GRADLE_USER_HOME=$WORKSPACE/$GRADLE_DIR @@ -230,11 +229,14 @@ pipeline { steps { script { - // Validate MARKLOGIC_IMAGE_TAGS to prevent argument injection via user-supplied image tag values - if (!(params.MARKLOGIC_IMAGE_TAGS ==~ /^[a-zA-Z0-9\-.:,\/ ]+$/)) { - error("Invalid MARKLOGIC_IMAGE_TAGS parameter value: must match ^[a-zA-Z0-9\\-.:,\\/ ]+\$") + // Validate MARKLOGIC_IMAGE_TAGS to prevent argument injection via user-supplied image tag values; + // each entry is validated individually after trimming to reject empty values and tags + // containing spaces or other shell-injectable characters + def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',').collect { it.trim() } + def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[A-Za-z0-9][A-Za-z0-9._-]*(\\/[A-Za-z0-9._-]*)*(?::[A-Za-z0-9._-]{0,127})?$/) } + if (!invalidTags.isEmpty()) { + error("Invalid MARKLOGIC_IMAGE_TAGS entries: ${invalidTags}. Expected comma-delimited docker image refs like 'marklogic-server-ubi:latest-12'") } - def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',') def imagePrefix = 'ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/' imageTags.each { tag -> From 9a2f678f13c203d0e590bb04a13a3660e0903098 Mon Sep 17 00:00:00 2001 From: Rita Chen Date: Wed, 24 Jun 2026 14:05:27 -0400 Subject: [PATCH 3/4] MLE-30244 update regex for image tags. --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 694b33d61..04b91df3c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -233,7 +233,7 @@ pipeline { // each entry is validated individually after trimming to reject empty values and tags // containing spaces or other shell-injectable characters def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',').collect { it.trim() } - def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[A-Za-z0-9][A-Za-z0-9._-]*(\\/[A-Za-z0-9._-]*)*(?::[A-Za-z0-9._-]{0,127})?$/) } + def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[A-Za-z0-9][A-Za-z0-9._-]*(?::[A-Za-z0-9._-]{1,127})?$/) } if (!invalidTags.isEmpty()) { error("Invalid MARKLOGIC_IMAGE_TAGS entries: ${invalidTags}. Expected comma-delimited docker image refs like 'marklogic-server-ubi:latest-12'") } From 21846c2e8129e397dea75edf43bc79e0af57083f Mon Sep 17 00:00:00 2001 From: Rita Chen Date: Wed, 24 Jun 2026 14:26:03 -0400 Subject: [PATCH 4/4] MLE-30244 tighten the regex for image tags --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 04b91df3c..7ca238daf 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -233,7 +233,7 @@ pipeline { // each entry is validated individually after trimming to reject empty values and tags // containing spaces or other shell-injectable characters def imageTags = params.MARKLOGIC_IMAGE_TAGS.split(',').collect { it.trim() } - def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[A-Za-z0-9][A-Za-z0-9._-]*(?::[A-Za-z0-9._-]{1,127})?$/) } + def invalidTags = imageTags.findAll { it.isEmpty() || !(it ==~ /^[a-z0-9]+(?:[._-][a-z0-9]+)*(?::[A-Za-z0-9_][A-Za-z0-9_.-]{0,127})?$/) } if (!invalidTags.isEmpty()) { error("Invalid MARKLOGIC_IMAGE_TAGS entries: ${invalidTags}. Expected comma-delimited docker image refs like 'marklogic-server-ubi:latest-12'") }