Status: Open (View Workflow)
Jenkins version: 2.199
Git plugin version: 3.12.1
OS version: CentOS 7 (3.10.0-1062.1.2.el7.x86_64)
Java version: 1.8.0_121
no Tomcat, no reverse proxy
Jenkins generates invalid JSON on http://.../api/json url due to Git commit messages are included in changeset comment attribute as is (the control chars like \x00-\x1F are not filtered).
The excerpt of JSON structure is attached.
|Field||Original Value||New Value|
|Attachment||invalid.json [ 50643 ]|
|Assignee||Mark Waite [ markewaite ]|
I believe this is an issue in Jenkins core rather than a specific issue in the git plugin.
|Component/s||core [ 15593 ]|
|Component/s||git-plugin [ 15543 ]|
|Summary||Control chars in Git commit messages cause invalid JSON||Control chars in Git commit messages cause invalid JSON from REST API|
I confirm this is an issue in the Jenkins core, likely even in the Stapler framework:
- There is no special filtering in the constructor or getter of https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/scm/ChangeLogSet.java . Since the class does not control export formats on its own, I believe this is a right behavior (though a risky one)
- JSON serialization is a maze, but I believe that the data escaping is done here: https://github.com/stapler/stapler/blob/master/core/src/main/java/org/kohsuke/stapler/export/JSONDataWriter.java#L103-L138
- The escaping code does not seem to be sufficient for the reported issue
covid19 Jenkins is a contributor-driven project, everybody is welcome to submit pull requests or to facilitate issue resolution in any other ways (visibility, reviews, etc.). There is no default assignee in the Jenkins core by default, and there is no ETA for the fix. If you are interested to submit a fix, please see the guidelines here: https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md
|Labels||json serialization stapler|
Thanks for the report. I agree that is a bug. The JSON specification for strings states that:
The example you provided shows a "control-A" character that should be escaped but is not escaped. I believe that character should have been represented as \u0001 instead.