[SECURITY-3061]

(cherry picked from commit d208953)

Author: centic9

src/main/java/hudson/plugins/jacoco/report/AbstractReport.java

@@ -31,7 +31,18 @@ public String getName() {
     }
 
     public void setName(String name) {
-        this.name = name;
+        this.name = sanitizeName(name);
+    }
+
+    protected static String sanitizeName(String name) {
+        // sanitize names contained in .class files
+        return name
+                .replace(':', '_')
+                .replace(';', '_')
+                .replace('&', '_')
+                .replace('%', '_')
+                .replace('<', '_')
+                .replace('>', '_');
     }
 
     public String getDisplayName() {
@@ -72,5 +83,5 @@ public SELF getPreviousResult() {
     public Run<?,?> getBuild() {
     	return parent.getBuild();
     }
-    
+
 }

src/main/java/hudson/plugins/jacoco/report/ClassReport.java

@@ -15,9 +15,10 @@ public final class ClassReport extends AggregatedReport<PackageReport,ClassRepor
 
     @Override
 	public void setName(String name) {
-		super.setName(name.replaceAll("/", "."));
+		super.setName(name.replace('/', '.'));
 		//logger.log(Level.INFO, "ClassReport");
 	}
+
 	@Override
 	public void add(MethodReport child) {
     	String newChildName = child.getName();

src/main/java/hudson/plugins/jacoco/report/MethodReport.java

@@ -13,9 +13,9 @@
  */
 //AggregatedReport<PackageReport,ClassReport,MethodReport>  -  AbstractReport<ClassReport,MethodReport>
 public final class MethodReport extends AggregatedReport<ClassReport,MethodReport, SourceFileReport> {
-	
+
 	private IMethodCoverage methodCov;
-	
+
 	@Override
 	public String printFourCoverageColumns() {
         StringBuilder buf = new StringBuilder();
@@ -32,10 +32,10 @@ public String printFourCoverageColumns() {
         //logger.log(Level.INFO, "Printing Ratio cells within MethodReport.");
 		return buf.toString();
 	}
-	
+
 	@Override
 	public void add(SourceFileReport child) {
-    	String newChildName = child.getName().replaceAll(this.getName() + ".", ""); 
+    	String newChildName = child.getName().replace(this.getName() + ".", "");
     	child.setName(newChildName);
         getChildren().put(child.getName(), child);
         //logger.log(Level.INFO, "SourceFileReport");
@@ -45,11 +45,11 @@ public void add(SourceFileReport child) {
     public boolean hasClassCoverage() {
         return false;
     }
-	
+
 	public void setSrcFileInfo(IMethodCoverage methodCov) {
 		this.methodCov = methodCov;
 	}
-	
+
     public void printHighlightedSrcFile(Writer output) {
         new SourceAnnotator(getParent().getSourceFilePath()).printHighlightedSrcFile(methodCov,output);
    	}

src/main/java/hudson/plugins/jacoco/report/PackageReport.java

@@ -18,17 +18,17 @@ public String getName() {
 
     @Override
     public void setName(String name) {
-        super.setName(name.replaceAll("/", "."));
+        super.setName(name.replace('/', '.'));
     }
-    
+
     @Override
     public void add(ClassReport child) {
-    	String newChildName = child.getName().replaceAll(this.getName() + ".", ""); 
+    	String newChildName = child.getName().replace(this.getName() + ".", "");
     	child.setName(newChildName);
         this.getChildren().put(child.getName(), child);
         //logger.log(Level.INFO, "PackageReport");
     }
-    
+
     //private static final Logger logger = Logger.getLogger(CoverageObject.class.getName());
-    
+
 }

src/main/java/hudson/plugins/jacoco/report/SourceFileReport.java

@@ -5,12 +5,12 @@
  * @author Kohsuke Kawaguchi
  */
 public final class SourceFileReport extends AbstractReport<MethodReport,SourceFileReport> {
-	
+
 	@Override
     public void setName(String name) {
-        super.setName(name.replaceAll("/", "."));
+        super.setName(name.replace('/', '.'));
     	//logger.log(Level.INFO, "SourceFileReport");
     }
-    	
+
 	//private static final Logger logger = Logger.getLogger(SourceFileReport.class.getName());
-}	
+}

src/test/java/hudson/plugins/jacoco/report/AbstractReportTest.java

@@ -17,7 +17,7 @@ public void test() throws Exception {
             // abstract class but not abstract method to override
         };
         assertNotNull(report);
-        
+
         report.setParent(new ClassReport());
         report.getParent().setParent(new PackageReport());
 
@@ -33,7 +33,11 @@ public void test() throws Exception {
         report.setName("testname");
         assertEquals("testname", report.getName());
         assertEquals("testname", report.getDisplayName());
-        
+
+        report.setName("myname/&:<>2%;");
+        assertEquals("myname/____2__", report.getName());
+        assertEquals("myname/____2__", report.getDisplayName());
+
         // TODO: cause NPEs, did not find out how to test this without a full jenkins-test
         //assertNull(report.getPreviousResult());
         //CoverageElement cv = new CoverageElement();

src/test/java/hudson/plugins/jacoco/report/AggregatedReportTest.java

@@ -11,36 +11,40 @@ public class AggregatedReportTest {
     public void testSetFailed() throws Exception {
         AggregatedReport<PackageReport,ClassReport,MethodReport> report = new AggregatedReport<PackageReport,ClassReport,MethodReport>() {
         };
-        
+
         assertEquals(0, report.getChildren().size());
         assertFalse(report.hasChildren());
-        
+
         MethodReport child = new MethodReport();
         child.setName("testmethod");
         report.add(child);
         assertEquals(1, report.getChildren().size());
         assertTrue(report.hasChildren());
         assertFalse(report.hasChildrenClassCoverage());
         assertFalse(report.hasChildrenLineCoverage());
-        
+
         report.setParent(new PackageReport());
         assertNotNull(report.getParent());
-        
+
         assertNull(report.getDynamic("test", null, null));
         assertNotNull(report.getDynamic("testmethod", null, null));
-        
+
         report.setFailed();
-        
+
         child.getLineCoverage().accumulate(0, 3);
         assertTrue(report.hasChildrenLineCoverage());
 
         child.getClassCoverage().accumulate(0, 3);
         assertFalse("For method children it's always false", report.hasChildrenClassCoverage());
+
+        report.setName("myname/&:<>2%;");
+        assertEquals("myname/____2__", report.getName());
+        assertEquals("myname/____2__", report.getDisplayName());
     }
-    
+
     @Test
     public void testClassCoverage() {
-        AggregatedReport<CoverageReport,PackageReport,ClassReport> packageReport = 
+        AggregatedReport<CoverageReport,PackageReport,ClassReport> packageReport =
                 new AggregatedReport<CoverageReport, PackageReport, ClassReport>() {
                 };
 
@@ -52,8 +56,13 @@ public void testClassCoverage() {
         assertFalse(packageReport.hasChildrenLineCoverage());
 
         classChild.getClassCoverage().accumulate(0, 3);
-        
+
         assertTrue(packageReport.hasChildrenClassCoverage());
         assertFalse(packageReport.hasChildrenLineCoverage());
+
+        classChild = new ClassReport();
+        classChild.setName("testclass/pkg");
+        packageReport.add(classChild);
+        assertEquals("testclass.pkg", classChild.getName());
     }
 }

src/test/java/hudson/plugins/jacoco/report/ClassReportTest.java

@@ -11,46 +11,50 @@
 public class ClassReportTest {
 
     @Test
-    public void testName() throws Exception {
+    public void testName() {
         ClassReport report = new ClassReport();
         report.setName("testname");
         assertEquals("testname", report.getName());
         report.setName("test/name/1");
         assertEquals("test.name.1", report.getName());
+
+        report.setName("myname/&:<>2%;");
+        assertEquals("myname.____2__", report.getName());
+        assertEquals("myname.____2__", report.getDisplayName());
     }
-    
+
     @Test
-    public void testChildren() throws Exception {
+    public void testChildren() {
         ClassReport report = new ClassReport();
-        
+
         assertEquals(0, report.getChildren().size());
         MethodReport child = new MethodReport();
         child.setName("testname");
         report.add(child);
         assertEquals(1, report.getChildren().size());
     }
-    
+
     @Test
-    public void testSourceFile() throws Exception {
+    public void testSourceFile() {
         ClassReport report = new ClassReport();
         report.setSrcFileInfo(null, "some/path");
         assertEquals(new File("some/path"), report.getSourceFilePath());
     }
-    
+
     @Test
-    public void testPrint() throws Exception {
+    public void testPrint() {
         ClassReport report = new ClassReport();
         report.setSrcFileInfo(null, "some/path");
-        
+
         StringWriter writer = new StringWriter();
         report.printHighlightedSrcFile(writer);
-        
+
         String string = writer.toString();
         assertEquals("ERROR: Error while reading the sourcefile!", string);
     }
-    
+
     @Test
-    public void testToString() throws Exception {
+    public void testToString() {
         ClassReport report = new ClassReport();
         assertNotNull(report.toString());
     }

src/test/java/hudson/plugins/jacoco/report/CoverageReportTest.java

@@ -11,27 +11,31 @@
 
 public class CoverageReportTest {
     @Test
-    public void testGetBuild() throws Exception {
+    public void testGetBuild() {
         CoverageReport report = new CoverageReport(action, new ExecutionFileLoader());
         assertNull(report.getBuild());
     }
 
     @Test
-    public void testName() throws Exception {
+    public void testName() {
         CoverageReport report = new CoverageReport(action, new ExecutionFileLoader());
         assertEquals("Jacoco", report.getName());
+
+        report.setName("myname/&:<>2%;");
+        assertEquals("myname/____2__", report.getName());
+        assertEquals("myname/____2__", report.getDisplayName());
     }
 
     @Test
-    public void testDoJaCoCoExec() throws Exception {
+    public void testDoJaCoCoExec() {
         CoverageReport report = new CoverageReport(action, new ExecutionFileLoader());
         assertNotNull(report);
         // TODO: how to simulate JaCoCoBuildAction without full Jenkins test-framework?
         // report.doJacocoExec();
     }
 
     @Test
-    public void testThresholds() throws Exception {
+    public void testThresholds() {
         CoverageReport report = new CoverageReport(action, new ExecutionFileLoader());
         report.setThresholds(new JacocoHealthReportThresholds());
     }

src/test/java/hudson/plugins/jacoco/report/MethodReportTest.java

@@ -12,47 +12,53 @@ public class MethodReportTest {
     public void testMissingFile() {
         MethodReport report = new MethodReport();
         assertFalse(report.hasClassCoverage());
-        
+
         report.setSrcFileInfo(null);
-        
+
         ClassReport p = new ClassReport();
         p.setSrcFileInfo(null, "some/path");
         report.setParent(p);
-        
+
         StringWriter writer = new StringWriter();
         report.printHighlightedSrcFile(writer);
         String string = writer.toString();
         assertEquals("ERROR: Error while reading the sourcefile!", string);
+
+        report.setName("myname/&:<>2%;");
+        assertEquals("myname/____2__", report.getName());
+        assertEquals("myname/____2__", report.getDisplayName());
     }
 
     @Test
-    public void testPrint() throws Exception {
+    public void testPrint() {
         MethodReport report = new MethodReport();
         assertNotNull(report.printFourCoverageColumns());
     }
 
     @Test
-    public void testChildren() throws Exception {
+    public void testChildren() {
         MethodReport report = new MethodReport();
         report.setName("pkg");
-        
+
         assertEquals(0, report.getChildren().size());
         SourceFileReport child = new SourceFileReport();
         child.setName("testname");
         report.add(child);
+        assertEquals("testname", child.getName());
         assertEquals(1, report.getChildren().size());
         assertEquals("testname", report.getChildren().values().iterator().next().getName());
     }
 
     @Test
-    public void testChildrenRemovePkgName() throws Exception {
+    public void testChildrenRemovePkgName() {
         MethodReport report = new MethodReport();
         report.setName("pkg");
-        
+
         assertEquals(0, report.getChildren().size());
         SourceFileReport child = new SourceFileReport();
         child.setName("pkg.testname");
         report.add(child);
+        assertEquals("testname", child.getName());
         assertEquals(1, report.getChildren().size());
         assertEquals("testname", report.getChildren().values().iterator().next().getName());
     }