Status: Closed (View Workflow)
Jenkins 2.95, Windows
When filling the "Configure Repository Browser" in a multibranch pipeline Git section, or in a regular freestyle job, the URL format is not specified nor hinted for the following browsers:
According to markewaite, the FormValidation needs some update for this browsers - and some automated tests would help for the FormValidation implementations.
- is related to
JENKINS-48101 gitBlitRepositoryBrowser doesn't work in jobDSL
JENKINS-48064 The expected format of Fisheye browser URL is not explicitly documented
Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.
rishabhbudhouliya, I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed.
That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.
markewaite, thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check.
Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`.
I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!
Fix for this issue: https://github.com/jenkinsci/git-plugin/pull/841
markewaite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.