Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19457

Buggy plugin implementations break job configuration too easily

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • core
    • None

    Description

      The implementation of registerValidator() in hudson-behavior.js blindly pushes content from the Job configuration (attribute=checkUrl) into an eval() if the attribute "checkDependsOn" is absent.

      In cases where a plugin has no JavaScript in "checkUrl" but a plain URL String the eval() call fails as the content is interpreted as RegEx with invalid flags.

      Here is the current code in Question at line 414 to 424:

      var url = this.getAttribute("checkUrl");
      var depends = this.getAttribute("checkDependsOn");
      
      if (depends==null) {// legacy behaviour where checkUrl is a JavaScript
          return eval(url); // need access to 'this', so no 'geval'
      } else {
      //...
      

      A simple fix to prevent the breakdown of the overall Job Configuration could be achieved as follows:

      var url = this.getAttribute("checkUrl");
      var depends = this.getAttribute("checkDependsOn");
      
      if (depends==null) {// legacy behaviour where checkUrl is a JavaScript
        try {
          return eval(url); // need access to 'this', so no 'geval'
        } catch(e) {
          return url; // if the URL is not JavaScript, simply return the URL
        }
      } else {
      //...
      

      This fix or a similar approach would make the UI more robust and less fragile, especially as the core application relies on external (plugin) code.

      Attachments

        Issue Links

          Activity

            jabbrwcky Jens Hausherr added a comment - Added pull request https://github.com/jenkinsci/jenkins/pull/934

            Code changed in jenkins
            User: Jens Hausherr
            Path:
            war/src/main/webapp/scripts/hudson-behavior.js
            http://jenkins-ci.org/commit/jenkins/afa517e4615371d9a151ef2867dd385093fc8619
            Log:
            JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jens Hausherr Path: war/src/main/webapp/scripts/hudson-behavior.js http://jenkins-ci.org/commit/jenkins/afa517e4615371d9a151ef2867dd385093fc8619 Log: JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            changelog.html
            war/src/main/webapp/scripts/hudson-behavior.js
            http://jenkins-ci.org/commit/jenkins/b94cab3ac6c1e79fff4929ef1b025fe6716bfe55
            Log:
            [FIXED JENKINS-19457]

            Merge remote-tracking branch 'origin/pr/934'

            Compare: https://github.com/jenkinsci/jenkins/compare/dfd60492e7a8...b94cab3ac6c1

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html war/src/main/webapp/scripts/hudson-behavior.js http://jenkins-ci.org/commit/jenkins/b94cab3ac6c1e79fff4929ef1b025fe6716bfe55 Log: [FIXED JENKINS-19457] Merge remote-tracking branch 'origin/pr/934' Compare: https://github.com/jenkinsci/jenkins/compare/dfd60492e7a8...b94cab3ac6c1
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2858
            JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown (Revision afa517e4615371d9a151ef2867dd385093fc8619)

            Result = SUCCESS
            jabbrwcky : afa517e4615371d9a151ef2867dd385093fc8619
            Files :

            • war/src/main/webapp/scripts/hudson-behavior.js
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2858 JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown (Revision afa517e4615371d9a151ef2867dd385093fc8619) Result = SUCCESS jabbrwcky : afa517e4615371d9a151ef2867dd385093fc8619 Files : war/src/main/webapp/scripts/hudson-behavior.js

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            test/src/test/groovy/lib/form/TextAreaTest.groovy
            test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly
            http://jenkins-ci.org/commit/jenkins/ac274f153b732d1834b9e0aa46ee6f64fa3527cb
            Log:
            JENKINS-19457

            Added a test case in an attempt to isolate the root cause of the problem, but this one works as expected. Hmm.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: test/src/test/groovy/lib/form/TextAreaTest.groovy test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly http://jenkins-ci.org/commit/jenkins/ac274f153b732d1834b9e0aa46ee6f64fa3527cb Log: JENKINS-19457 Added a test case in an attempt to isolate the root cause of the problem, but this one works as expected. Hmm.
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2859
            JENKINS-19457 (Revision ac274f153b732d1834b9e0aa46ee6f64fa3527cb)

            Result = SUCCESS
            kohsuke : ac274f153b732d1834b9e0aa46ee6f64fa3527cb
            Files :

            • test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly
            • test/src/test/groovy/lib/form/TextAreaTest.groovy
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2859 JENKINS-19457 (Revision ac274f153b732d1834b9e0aa46ee6f64fa3527cb) Result = SUCCESS kohsuke : ac274f153b732d1834b9e0aa46ee6f64fa3527cb Files : test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly test/src/test/groovy/lib/form/TextAreaTest.groovy
            gordin Christoph Vogtländer added a comment - - edited

            Is this issue still present in LTS version? I'm running into this problem on 1.554.1 and 1.532.3 LTS. Is there any chance to isolate the problem without deactivating all plug-ins? (JENKINS-19248 names publish-over-ssh as a possible culprit which is not installed on my system). Unfortunately I do not configure jobs very often but update my plug-ins and core on a regularly basis so I do not know which plug-in/update might causing this.
            Update: the plug-in causing this is JIRA Plugin for Jenkins 1.4.4 (1.4.2 and 1.4.3 are working correctly)

            gordin Christoph Vogtländer added a comment - - edited Is this issue still present in LTS version? I'm running into this problem on 1.554.1 and 1.532.3 LTS. Is there any chance to isolate the problem without deactivating all plug-ins? ( JENKINS-19248 names publish-over-ssh as a possible culprit which is not installed on my system). Unfortunately I do not configure jobs very often but update my plug-ins and core on a regularly basis so I do not know which plug-in/update might causing this. Update: the plug-in causing this is JIRA Plugin for Jenkins 1.4.4 (1.4.2 and 1.4.3 are working correctly)
            jabbrwcky Jens Hausherr added a comment -

            The main problem is that it is not tied to a particular plugin. Each plugin you install contributes to the javascript executed on the configuration page of each job. If any one plugin introduces an erroneous java script the whole configuration page stops working, leaving you gesssing which plugin could be the culprit.

            The only real solution to this would be some kind of sandboxing of each plugin in an error handler that ensures that the rest of the configuration page still works, optimally telling the user which plugin broke so it can be fixed easier.

            jabbrwcky Jens Hausherr added a comment - The main problem is that it is not tied to a particular plugin. Each plugin you install contributes to the javascript executed on the configuration page of each job. If any one plugin introduces an erroneous java script the whole configuration page stops working, leaving you gesssing which plugin could be the culprit. The only real solution to this would be some kind of sandboxing of each plugin in an error handler that ensures that the rest of the configuration page still works, optimally telling the user which plugin broke so it can be fixed easier.

            People

              Unassigned Unassigned
              jabbrwcky Jens Hausherr
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: