CVE-2020-2096/SECURITY-1683 issue

[LeonHagenaarsKeus]

Jenkins states that the plugin has a CVE where not escaping project names in 'build_now' results in a reflected cross-site scripting vulnerability.

https://www.jenkins.io/security/advisory/2020-01-15/#SECURITY-1683

[LeonHagenaarsKeus]

The main issue appears to be

gitlab-hook-plugin/models/api.rb

Line 102 in d52d8b4

"Don't know how to process '/#{params[:splat].first}'",

where

          "Don't know how to process '/#{CGI::escapeHTML(params[:splat].first)}'",

or similar would fix the issue.

Can't test/build at the moment, as setting up a test environment which can run the version of ruby required takes more time then I currently have available.