Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48625

Several git repo browser URL formats are not checked or documented

      When filling the "Configure Repository Browser" in a multibranch pipeline Git section, or in a regular freestyle job, the URL format is not specified nor hinted for the following browsers:

      • Assembla
      • Gitiles
      • ViewGitWeb
      • GitBlit

      According to markewaite, the FormValidation needs some update for this browsers - and some automated tests would help for the FormValidation implementations.

          [JENKINS-48625] Several git repo browser URL formats are not checked or documented

          markewaite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

          Rishabh Budhouliya added a comment - markewaite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

          Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.

          Rishabh Budhouliya added a comment - Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.

          Mark Waite added a comment - - edited

          rishabhbudhouliya, I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed.

          That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

          Mark Waite added a comment - - edited rishabhbudhouliya , I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed. That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

          markewaite, thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check.
          Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`. 

          I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!

          Rishabh Budhouliya added a comment - markewaite , thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check. Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`.  I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!

          Rishabh Budhouliya added a comment - Fix for this issue:  https://github.com/jenkinsci/git-plugin/pull/841

          Mark Waite added a comment -

          Released in git plugin 4.2.0 March 1, 2020

          Mark Waite added a comment - Released in git plugin 4.2.0 March 1, 2020

            rishabhbudhouliya Rishabh Budhouliya
            saucistophe Christophe Carpentier
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: