Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48625

Several git repo browser URL formats are not checked or documented

    XMLWordPrintable

Details

    Description

      When filling the "Configure Repository Browser" in a multibranch pipeline Git section, or in a regular freestyle job, the URL format is not specified nor hinted for the following browsers:

      • Assembla
      • Gitiles
      • ViewGitWeb
      • GitBlit

      According to markewaite, the FormValidation needs some update for this browsers - and some automated tests would help for the FormValidation implementations.

      Attachments

        Issue Links

          Activity

            markewaite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

            rishabhbudhouliya Rishabh Budhouliya added a comment - markewaite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

            Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.

            rishabhbudhouliya Rishabh Budhouliya added a comment - Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.
            markewaite Mark Waite added a comment - - edited

            rishabhbudhouliya, I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed.

            That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

            markewaite Mark Waite added a comment - - edited rishabhbudhouliya , I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed. That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

            markewaite, thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check.
            Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`. 

            I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!

            rishabhbudhouliya Rishabh Budhouliya added a comment - markewaite , thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check. Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`.  I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!
            rishabhbudhouliya Rishabh Budhouliya added a comment - Fix for this issue:  https://github.com/jenkinsci/git-plugin/pull/841
            markewaite Mark Waite added a comment -

            Released in git plugin 4.2.0 March 1, 2020

            markewaite Mark Waite added a comment - Released in git plugin 4.2.0 March 1, 2020

            People

              rishabhbudhouliya Rishabh Budhouliya
              saucistophe Christophe Carpentier
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: