-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins 2.219
Active Choices (uno-choice) v2.0
OWASP Markup Formatter Plugin (antisamy-markup-formatter-plugin) v1.8/v2.0
With Active Choices and OWASP Markup Formatter Plugin v2.0 installed, "input" elements are being stripped from "Formatted HTML" parameters. This is not an issue with OWASP Markup Formatter Plugin v1.8. Since this is one of the main use-cases of the Active Choices plugin, I assume this is a bug. There also doesn't seem to be a way to configure the markup formatter that the Active Choices plugin uses.
Attached are screenshots of the parameter config, the working "input" field with v1.8, and the missing input field with v2.0.
[JENKINS-62215] antisamy-markup-formatter-plugin v2.0 filters input fields from uno-choice plugin
apottere It's possible that I have an intermediate AC snapshot as I usually do some testing before final release. Nonetheless, I seriously doubt that the issue will turn out to be active choices itself. You seem to have isolated the issue to the antisamy-markup-formatter-plugin v2.0, but all I'm saying is that this version works for me and my (rather permissive Jenkins instance)
I use the following Jenkins startup parameters that you may also want to test. I suspect that the CustomJellyContext may be of special interest here
-Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false"
Andrew Potter
added a comment - ioannis sorry, must have missed the email for your comment. I created a git repo with a run script, the current versions of both plugins, and the java opts you specify. When I run it, the input field is not displayed.
https://github.com/apottere/JENKINS-62215
I also included ".bak" versions of both plugins, which are the older (working) versions. Let me know if you get different results.
Andrew Potter
added a comment - ioannis sorry, must have missed the email for your comment. I created a git repo with a run script, the current versions of both plugins, and the java opts you specify. When I run it, the input field is not displayed.
https://github.com/apottere/JENKINS-62215
I also included ".bak" versions of both plugins, which are the older (working) versions. Let me know if you get different results. Andrew Potter
added a comment - It looks like this was an intentional change in the markup-formatter plugin: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/12
It really seems like there's no way you should be able to see `input` fields with any version of the Active Choices plugin after that markup formatter update. Either this issue should be fixed or the docs for Active Choices should be updated to make it clear that using form fields is no longer an option with the groovy sandbox (and the corresponding sanitation).
Andrew Potter
added a comment - It looks like this was an intentional change in the markup-formatter plugin: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/12
It really seems like there's no way you should be able to see `input` fields with any version of the Active Choices plugin after that markup formatter update. Either this issue should be fixed or the docs for Active Choices should be updated to make it clear that using form fields is no longer an option with the groovy sandbox (and the corresponding sanitation). That's funny apottere, I'm using the `master` branch of the git repo, and `mvn clean install` then `mvn hpi:run`. Trying to reproduce the issue before switching the branch to your PR, but no luck.
But no matter what I try, it still renders the input fine for me?
Any idea what I could be missing? The plugin integration was a contribution after we were blocked by Jenkins security, and it "just worked", so I never bothered digging deeper to understand how everything works. So I may be missing some important step?
Thanks
Bruno
Andrew Potter
added a comment - kinow can you try running the following in your script console?
import jenkins.model.Jenkins import hudson.markup.RawHtmlMarkupFormatter println("Markup Formatter Version: " + Jenkins.get().getPlugin("antisamy-markup-formatter").getWrapper().getVersion()) println("Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate('<input type="text" name="value" value="bar" />')}'")
That gives the following result on my test instance:
Markup Formatter Version: 2.0 Formatted: ''
And when I downgrade the plugins:
Markup Formatter Version: 1.8
Formatted: '<input type="text" name="value" value="bar">'
AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line: https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174
Andrew Potter
added a comment - kinow can you try running the following in your script console?
import jenkins.model.Jenkins
import hudson.markup.RawHtmlMarkupFormatter
println( "Markup Formatter Version: " + Jenkins.get().getPlugin( "antisamy-markup-formatter" ).getWrapper().getVersion())
println( "Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate(' <input type=" text " name=" value " value=" bar " /> ')}' " )
That gives the following result on my test instance:
Markup Formatter Version: 2.0
Formatted: ''
And when I downgrade the plugins:
Markup Formatter Version: 1.8
Formatted: '<input type= "text" name= "value" value= "bar" >'
AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line: https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174 That's interesting. I got
Result Markup Formatter Version: 2.0 Formatted: ''
I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs).
Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead.
Things that I am concerned when reviewing the PR:
1. need to properly reproduce the issue before merging and releasing it
2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid.
3. update docs about it
Cheers
Bruno
Andrew Potter
added a comment - kinow it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox? It only uses the markup sanitization when the groovy sandbox is used. I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215
Andrew Potter
added a comment - kinow it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox? It only uses the markup sanitization when the groovy sandbox is used. I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215 
ioannis The issue occurs whether the Markup Formatter option is set to Plain Text or Safe HTML.
I wasn't able to find version 2.2.3 of the Active choices plugin, either in GitHub Releases (https://github.com/jenkinsci/active-choices-plugin/releases) or the update site (https://updates.jenkins.io/download/plugins/uno-choice/). From the README (https://github.com/jenkinsci/active-choices-plugin#version-23-2020) it looks like 2.3 is the next pending version.