Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
Description
The implementation of registerValidator() in hudson-behavior.js blindly pushes content from the Job configuration (attribute=checkUrl) into an eval() if the attribute "checkDependsOn" is absent.
In cases where a plugin has no JavaScript in "checkUrl" but a plain URL String the eval() call fails as the content is interpreted as RegEx with invalid flags.
Here is the current code in Question at line 414 to 424:
var url = this.getAttribute("checkUrl"); var depends = this.getAttribute("checkDependsOn"); if (depends==null) {// legacy behaviour where checkUrl is a JavaScript return eval(url); // need access to 'this', so no 'geval' } else { //...
A simple fix to prevent the breakdown of the overall Job Configuration could be achieved as follows:
var url = this.getAttribute("checkUrl"); var depends = this.getAttribute("checkDependsOn"); if (depends==null) {// legacy behaviour where checkUrl is a JavaScript try { return eval(url); // need access to 'this', so no 'geval' } catch(e) { return url; // if the URL is not JavaScript, simply return the URL } } else { //...
This fix or a similar approach would make the UI more robust and less fragile, especially as the core application relies on external (plugin) code.
Attachments
Issue Links
- duplicates
-
-
- Resolved
-
- is blocking
-
-
- Resolved
-
- is duplicated by
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
Activity
Code changed in jenkins
User: Jens Hausherr
Path:
war/src/main/webapp/scripts/hudson-behavior.js
http://jenkins-ci.org/commit/jenkins/afa517e4615371d9a151ef2867dd385093fc8619
Log:
JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
war/src/main/webapp/scripts/hudson-behavior.js
http://jenkins-ci.org/commit/jenkins/b94cab3ac6c1e79fff4929ef1b025fe6716bfe55
Log:
[FIXED JENKINS-19457]
Merge remote-tracking branch 'origin/pr/934'
Compare: https://github.com/jenkinsci/jenkins/compare/dfd60492e7a8...b94cab3ac6c1
Integrated in 
jenkins_main_trunk #2858
JENKINS-19457 Wrap eval in try-catch to prevent job configuration breakdown (Revision afa517e4615371d9a151ef2867dd385093fc8619)
Result = SUCCESS
jabbrwcky : afa517e4615371d9a151ef2867dd385093fc8619
Files :
- war/src/main/webapp/scripts/hudson-behavior.js
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
test/src/test/groovy/lib/form/TextAreaTest.groovy
test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly
http://jenkins-ci.org/commit/jenkins/ac274f153b732d1834b9e0aa46ee6f64fa3527cb
Log:
JENKINS-19457
Added a test case in an attempt to isolate the root cause of the problem, but this one works as expected. Hmm.
Integrated in jenkins_main_trunk #2859
JENKINS-19457 (Revision ac274f153b732d1834b9e0aa46ee6f64fa3527cb)
Result = SUCCESS
kohsuke : ac274f153b732d1834b9e0aa46ee6f64fa3527cb
Files :
- test/src/test/resources/lib/form/TextAreaTest/TestBuilder/config.jelly
- test/src/test/groovy/lib/form/TextAreaTest.groovy
Is this issue still present in LTS version? I'm running into this problem on 1.554.1 and 1.532.3 LTS. Is there any chance to isolate the problem without deactivating all plug-ins? (JENKINS-19248 names publish-over-ssh as a possible culprit which is not installed on my system). Unfortunately I do not configure jobs very often but update my plug-ins and core on a regularly basis so I do not know which plug-in/update might causing this.
Update: the plug-in causing this is JIRA Plugin for Jenkins 1.4.4 (1.4.2 and 1.4.3 are working correctly)
Jens Hausherr
added a comment - The main problem is that it is not tied to a particular plugin. Each plugin you install contributes to the javascript executed on the configuration page of each job. If any one plugin introduces an erroneous java script the whole configuration page stops working, leaving you gesssing which plugin could be the culprit.
The only real solution to this would be some kind of sandboxing of each plugin in an error handler that ensures that the rest of the configuration page still works, optimally telling the user which plugin broke so it can be fixed easier.
Jens Hausherr
added a comment - The main problem is that it is not tied to a particular plugin. Each plugin you install contributes to the javascript executed on the configuration page of each job. If any one plugin introduces an erroneous java script the whole configuration page stops working, leaving you gesssing which plugin could be the culprit.
The only real solution to this would be some kind of sandboxing of each plugin in an error handler that ensures that the rest of the configuration page still works, optimally telling the user which plugin broke so it can be fixed easier. 
Added pull request
https://github.com/jenkinsci/jenkins/pull/934