Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-69659] Un-inline multiple occurrences of JavaScript in Jelly templates #130

Merged
merged 9 commits into from
Oct 1, 2024
Merged

[JENKINS-69659] Un-inline multiple occurrences of JavaScript in Jelly templates #130

merged 9 commits into from
Oct 1, 2024

Conversation

yaroslavafenkin
Copy link
Contributor

@yaroslavafenkin yaroslavafenkin commented Oct 21, 2022
edited
Loading

JENKINS-69659

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

yaroslavafenkin
yaroslavafenkin commented Oct 22, 2022
View reviewed changes
src/main/java/hudson/matrix/LabelAxis.java
.append(jsStringEscape("/><label class='attach-previous'>")).append(escapedName).append(" (").append(escapedDescription).append(")</label>\"")
.toString();
// '${h.jsStringEscape('<input type="checkbox" name="values" json="'+h.htmlAttributeEscape(l.name)+'" ')}'+has("${h.jsStringEscape(l.name)}")+'${h.jsStringEscape('/><label class="attach-previous">'+l.name+' ('+l.description+')</label>')}'
return "<input type='checkbox' name='values' json='" +
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can revert this if there are objections, this was a refactoring suggested by IDE.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR That code was a correction of a previous vulnerability, not sure the current version does not reintroduce issues.

With new YAHOO.widget.HTMLNode I am pretty sure it interprets the values as HTML. Have you tried to reproduce the previous vulnerability or to inject some payloads to understand the behavior? :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think lines 89 and 90 are related to the vulnerability fix, unless you mean a different one that I'm not aware of.
I've checked with simple payloads I could think of, and content was escaped properly. I'll give it another shot too to make sure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've re-checked, it seems fine to me. Tried couple different payloads, couldn't break it. User provided content is escaped. I'd appreciate someone else trying to break it though.

src/main/java/hudson/matrix/MatrixProject.java Outdated
@@ -1083,6 +1084,10 @@ public List<AxisDescriptor> getAxisDescriptors() {
return r;
}

public FormValidation doCheckDisplayName(@QueryParameter String value, @QueryParameter String name) {
return Jenkins.get().doCheckDisplayName(value, name);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some limitations in checkDependsOn, and one of the ways around it was to proxy call this. I'm open to suggestions if anyone has an idea how to do it cleaner.

Wadeck
Wadeck reviewed Oct 24, 2022
View reviewed changes
Copy link

@Wadeck Wadeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to simplify too much the code, thus looking suspicious :trollface:

(not tested manually) but seems very promising

src/main/resources/hudson/matrix/LabelAxis/label-axis-resources.js Outdated Show resolved Hide resolved
src/main/java/hudson/matrix/LabelAxis.java
.append(jsStringEscape("/><label class='attach-previous'>")).append(escapedName).append(" (").append(escapedDescription).append(")</label>\"")
.toString();
// '${h.jsStringEscape('<input type="checkbox" name="values" json="'+h.htmlAttributeEscape(l.name)+'" ')}'+has("${h.jsStringEscape(l.name)}")+'${h.jsStringEscape('/><label class="attach-previous">'+l.name+' ('+l.description+')</label>')}'
return "<input type='checkbox' name='values' json='" +
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR That code was a correction of a previous vulnerability, not sure the current version does not reintroduce issues.

With new YAHOO.widget.HTMLNode I am pretty sure it interprets the values as HTML. Have you tried to reproduce the previous vulnerability or to inject some payloads to understand the behavior? :)

@jglick
Copy link
Member

jglick commented Aug 14, 2023

Merge conflicts @yaroslavafenkin; and @Wadeck did you plan to review again?

@Wadeck
Copy link

Wadeck commented Aug 14, 2023

No review required from me 👍

@mawinter69 mawinter69 mentioned this pull request Feb 3, 2024
Merged
mawinter69
mawinter69 reviewed Aug 28, 2024
View reviewed changes
src/main/java/hudson/matrix/MatrixProject.java
@@ -1083,6 +1085,11 @@ public List<AxisDescriptor> getAxisDescriptors() {
return r;
}

@Restricted(NoExternalUse.class)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With jenkinsci/jenkins#9150 the method becomes obsolete

@basil basil requested a review from a team as a code owner October 1, 2024 19:31
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 1, 2024
View reviewed changes
src/main/java/hudson/matrix/MatrixProject.java
@@ -1125,6 +1127,11 @@
return r;
}

@Restricted(NoExternalUse.class)
public FormValidation doCheckDisplayNameOrNull(@AncestorInPath MatrixProject job, @QueryParameter String value) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doCheckDisplayNameOrNull connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
src/main/java/hudson/matrix/MatrixProject.java
@@ -1125,6 +1127,11 @@
return r;
}

@Restricted(NoExternalUse.class)
public FormValidation doCheckDisplayNameOrNull(@AncestorInPath MatrixProject job, @QueryParameter String value) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckDisplayNameOrNull
@basil basil changed the title [JENKINS-69659] Un-inline multiple occurrences of JS in jelly templates [JENKINS-69659] Un-inline multiple occurrences of JavaScript in Jelly templates Oct 1, 2024
basil added a commit to basil/acceptance-test-harness that referenced this pull request Oct 1, 2024
@basil
Test jenkinsci/matrix-project-plugin#130
fbe7955
@basil basil mentioned this pull request Oct 1, 2024
Closed
basil added a commit to basil/bom that referenced this pull request Oct 1, 2024
@basil
Test jenkinsci/matrix-project-plugin#130
8db6b73
@basil basil mentioned this pull request Oct 1, 2024
Closed
@basil
Copy link
Member

basil commented Oct 1, 2024

Passing ATH: jenkinsci/acceptance-test-harness#1747

@basil
Copy link
Member

basil commented Oct 1, 2024

Passing PCT: jenkinsci/bom#3652

@basil basil merged commit 4d7b7bf into jenkinsci:master Oct 1, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mawinter69 mawinter69 mawinter69 left review comments

@Wadeck Wadeck Awaiting requested review from Wadeck

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yaroslavafenkin @jglick @Wadeck @basil @mawinter69