Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44010

Check nullability of getCrumbIssuer() on the Wizard

      Jenkins.getInstance().getCrumbIssuer() method could potentially be null and the Admin user creation page is not checking it.

       

      See the comment from amuniz in https://github.com/jenkinsci/jenkins/commit/3c3977395633db0a2c9a29550e0249451fa97ba0#commitcomment-21985458

          [JENKINS-44010] Check nullability of getCrumbIssuer() on the Wizard

          Oleg Nenashev added a comment -

          If you expect it to be backported, there should be much better description of the problem and the impact. As jglick said in another chat, this is probably a bad use-case

          Oleg Nenashev added a comment - If you expect it to be backported, there should be much better description of the problem and the impact. As jglick said in another chat, this is probably a bad use-case

          Jesse Glick added a comment -

          I do not propose this as an lts-candidate.

          Jesse Glick added a comment - I do not propose this as an lts-candidate .

          Jesse Glick added a comment -

          Reproducible with difficulty:

          • start Jenkins on fresh home
          • log in as initial admin user
          • install custom plugins, click None and proceed
          • browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form
          • return to the dashboard, showing the setup wizard again
          • fill out admin user form and submit
          … org.eclipse.jetty.util.log.JavaUtilLog warn
          WARNING: Error while serving …/setupWizard/createAdminUser
          java.lang.reflect.InvocationTargetException
          	at …
          Caused by: java.lang.NullPointerException
          	at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257)
          	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
          	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
          	... 67 more
          

          Jesse Glick added a comment - Reproducible with difficulty: start Jenkins on fresh home log in as initial admin user install custom plugins, click None and proceed browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form return to the dashboard, showing the setup wizard again fill out admin user form and submit … org.eclipse.jetty.util.log.JavaUtilLog warn WARNING: Error while serving …/setupWizard/createAdminUser java.lang.reflect.InvocationTargetException at … Caused by: java.lang.NullPointerException at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) ... 67 more

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/install/SetupWizard.java
          core/src/main/java/jenkins/model/Jenkins.java
          http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2
          Log:
          [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

          Oleg Nenashev added a comment -

          I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt

          Oleg Nenashev added a comment - I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/install/SetupWizard.java
          core/src/main/java/jenkins/model/Jenkins.java
          http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606
          Log:
          [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

          (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running. (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

            jglick Jesse Glick
            alobato Alvaro Lobato
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: