Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61428

Control chars in Git commit messages cause invalid JSON from REST API

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: core
    • Environment:
      Jenkins version: 2.199
      Git plugin version: 3.12.1
      OS version: CentOS 7 (3.10.0-1062.1.2.el7.x86_64)
      Java version: 1.8.0_121
      no Tomcat, no reverse proxy
    • Similar Issues:

      Description

      Jenkins generates invalid JSON on http://.../api/json url due to Git commit messages are included in changeset comment attribute as is (the control chars like \x00-\x1F are not filtered).

      The excerpt of JSON structure is attached.

        Attachments

          Activity

          covid19 Evgeny Boloboshkin created issue -
          covid19 Evgeny Boloboshkin made changes -
          Field Original Value New Value
          Attachment invalid.json [ 50643 ]
          Hide
          markewaite Mark Waite added a comment -

          Thanks for the report. I agree that is a bug. The JSON specification for strings states that:

          All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).

          The example you provided shows a "control-A" character that should be escaped but is not escaped. I believe that character should have been represented as \u0001 instead.

          Show
          markewaite Mark Waite added a comment - Thanks for the report. I agree that is a bug. The JSON specification for strings states that: All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). The example you provided shows a "control-A" character that should be escaped but is not escaped. I believe that character should have been represented as \u0001 instead.
          markewaite Mark Waite made changes -
          Assignee Mark Waite [ markewaite ]
          Hide
          markewaite Mark Waite added a comment -

          I believe this is an issue in Jenkins core rather than a specific issue in the git plugin.

          Show
          markewaite Mark Waite added a comment - I believe this is an issue in Jenkins core rather than a specific issue in the git plugin.
          markewaite Mark Waite made changes -
          Component/s core [ 15593 ]
          Component/s git-plugin [ 15543 ]
          markewaite Mark Waite made changes -
          Summary Control chars in Git commit messages cause invalid JSON Control chars in Git commit messages cause invalid JSON from REST API
          Hide
          covid19 Evgeny Boloboshkin added a comment -

          Mark Waite assign the ticket please.

          Show
          covid19 Evgeny Boloboshkin added a comment - Mark Waite assign the ticket please.
          Hide
          oleg_nenashev Oleg Nenashev added a comment - - edited

          I confirm this is an issue in the Jenkins core, likely even in the Stapler framework:

          Evgeny Boloboshkin Jenkins is a contributor-driven project, everybody is welcome to submit pull requests or to facilitate issue resolution in any other ways (visibility, reviews, etc.). There is no default assignee in the Jenkins core by default, and there is no ETA for the fix. If you are interested to submit a fix, please see the guidelines here: https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - - edited I confirm this is an issue in the Jenkins core, likely even in the Stapler framework:  There is no special filtering in the constructor or getter of  https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/scm/ChangeLogSet.java  . Since the class does not control export formats on its own, I believe this is a right behavior (though a risky one) JSON serialization is a maze, but I believe that the data escaping is done here:  https://github.com/stapler/stapler/blob/master/core/src/main/java/org/kohsuke/stapler/export/JSONDataWriter.java#L103-L138 The escaping code does not seem to be sufficient for the reported issue Evgeny Boloboshkin Jenkins is a contributor-driven project, everybody is welcome to submit pull requests or to facilitate issue resolution in any other ways (visibility, reviews, etc.). There is no default assignee in the Jenkins core by default, and there is no ETA for the fix. If you are interested to submit a fix, please see the guidelines here:  https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md  
          oleg_nenashev Oleg Nenashev made changes -
          Labels json serialization stapler

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            covid19 Evgeny Boloboshkin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: