[gh-476] Sanitise HCL variables before storing on job submission (#24423)

* func: User url rules to scape non alphanumeric values in hcl variables * docs: add changelog * func: unscape flags before returning * use JSON.stringify instead of bespoke value quoting to handle in-value-multi-line cases --------- Co-authored-by: Phil Renaud <phil@riotindustries.com>
2026-01-06 10:25:42 +03:00 · 2024-11-22 11:45:02 +01:00
parent 997da25cdb
commit c21dfdb17a
5 changed files with 28 additions and 7 deletions
--- a/.changelog/24423.txt
+++ b/.changelog/24423.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Sanitise hcl variables before storage on JobSubmission
+```
--- a/api/jobs.go
+++ b/api/jobs.go
@@ -12,7 +12,6 @@ import (
 	"net/url"
 	"sort"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/hashicorp/cronexpr"
@@ -324,6 +323,7 @@ func (j *Jobs) Submission(jobID string, version int, q *QueryOptions) (*JobSubmi
 	if err != nil {
 		return nil, nil, err
 	}
+
 	return &sub, qm, nil
 }

@@ -1061,9 +1061,7 @@ func (js *JobSubmission) Canonicalize() {
 	// characters to preserve them. This way, when the job gets stopped and
 	// restarted in the UI, variable values will be parsed correctly.
 	for k, v := range js.VariableFlags {
-		if strings.Contains(v, "\n") {
-			js.VariableFlags[k] = strings.ReplaceAll(v, "\n", "\\n")
-		}
+		js.VariableFlags[k] = url.QueryEscape(v)
 	}
 }

--- a/api/jobs_test.go
+++ b/api/jobs_test.go
@@ -1503,7 +1503,17 @@ func TestJobs_JobSubmission_Canonicalize(t *testing.T) {
 			VariableFlags: map[string]string{"test": "foo\nbar"},
 		}
 		js.Canonicalize()
-		must.Eq(t, js.VariableFlags["test"], "foo\\nbar")
+
+		must.Eq(t, js.VariableFlags["test"], "foo%0Abar")
+	})
+
+	t.Run("non-alphabetic chars", func(t *testing.T) {
+		js := &JobSubmission{
+			Source:        "abc123",
+			VariableFlags: map[string]string{"test": `"foo": "bar"`},
+		}
+		js.Canonicalize()
+		must.Eq(t, js.VariableFlags["test"], "%22foo%22%3A+%22bar%22")
 	})
 }

--- a/command/agent/job_endpoint.go
+++ b/command/agent/job_endpoint.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"maps"
 	"net/http"
+	"net/url"
 	"slices"
 	"strconv"
 	"strings"
@@ -493,7 +494,8 @@ func (s *HTTPServer) jobSubmissionQuery(resp http.ResponseWriter, req *http.Requ
 	}

 	var out structs.JobSubmissionResponse
-	if err := s.agent.RPC("Job.GetJobSubmission", &args, &out); err != nil {
+	err := s.agent.RPC("Job.GetJobSubmission", &args, &out)
+	if err != nil {
 		return nil, err
 	}

@@ -502,6 +504,13 @@ func (s *HTTPServer) jobSubmissionQuery(resp http.ResponseWriter, req *http.Requ
 		return nil, CodedError(404, "job source not found")
 	}

+	for k, v := range out.Submission.VariableFlags {
+		out.Submission.VariableFlags[k], err = url.QueryUnescape(v)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return out.Submission, nil
 }

--- a/ui/app/utils/json-to-hcl.js
+++ b/ui/app/utils/json-to-hcl.js
@@ -16,7 +16,8 @@ export default function jsonToHcl(obj) {

  for (const key in obj) {
    const value = obj[key];
-    const hclValue = typeof value === 'string' ? `"${value}"` : value;
+    const hclValue = typeof value === 'string' ? JSON.stringify(value) : value;
+
    hclLines.push(`${key}=${hclValue}\n`);
  }