Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44010

Check nullability of getCrumbIssuer() on the Wizard

    XMLWordPrintable

Details

    Description

      Jenkins.getInstance().getCrumbIssuer() method could potentially be null and the Admin user creation page is not checking it.

       

      See the comment from amuniz in https://github.com/jenkinsci/jenkins/commit/3c3977395633db0a2c9a29550e0249451fa97ba0#commitcomment-21985458

      Attachments

        Issue Links

          Activity

            oleg_nenashev Oleg Nenashev added a comment -

            If you expect it to be backported, there should be much better description of the problem and the impact. As jglick said in another chat, this is probably a bad use-case

            oleg_nenashev Oleg Nenashev added a comment - If you expect it to be backported, there should be much better description of the problem and the impact. As jglick said in another chat, this is probably a bad use-case
            jglick Jesse Glick added a comment -

            I do not propose this as an lts-candidate.

            jglick Jesse Glick added a comment - I do not propose this as an lts-candidate .
            jglick Jesse Glick added a comment -

            Reproducible with difficulty:

            • start Jenkins on fresh home
            • log in as initial admin user
            • install custom plugins, click None and proceed
            • browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form
            • return to the dashboard, showing the setup wizard again
            • fill out admin user form and submit
            … org.eclipse.jetty.util.log.JavaUtilLog warn
            WARNING: Error while serving …/setupWizard/createAdminUser
            java.lang.reflect.InvocationTargetException
            	at …
            Caused by: java.lang.NullPointerException
            	at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257)
            	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
            	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
            	... 67 more
            
            jglick Jesse Glick added a comment - Reproducible with difficulty: start Jenkins on fresh home log in as initial admin user install custom plugins, click None and proceed browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form return to the dashboard, showing the setup wizard again fill out admin user form and submit … org.eclipse.jetty.util.log.JavaUtilLog warn WARNING: Error while serving …/setupWizard/createAdminUser java.lang.reflect.InvocationTargetException at … Caused by: java.lang.NullPointerException at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) ... 67 more

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2
            Log:
            [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.
            oleg_nenashev Oleg Nenashev added a comment -

            I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt

            oleg_nenashev Oleg Nenashev added a comment - I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606
            Log:
            [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

            (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running. (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

            People

              jglick Jesse Glick
              alobato Alvaro Lobato
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: