Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62215

antisamy-markup-formatter-plugin v2.0 filters input fields from uno-choice plugin

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      With Active Choices and OWASP Markup Formatter Plugin v2.0 installed, "input" elements are being stripped from "Formatted HTML" parameters.  This is not an issue with OWASP Markup Formatter Plugin v1.8.  Since this is one of the main use-cases of the Active Choices plugin, I assume this is a bug.  There also doesn't seem to be a way to configure the markup formatter that the Active Choices plugin uses.

       

      Attached are screenshots of the parameter config, the working "input" field with v1.8, and the missing input field with v2.0.

        Attachments

        1. bruno-screenshot-1.png
          66 kB
          Bruno P. Kinoshita
        2. bruno-screenshot-2.png
          127 kB
          Bruno P. Kinoshita
        3. bruno-screenshot-3.png
          93 kB
          Bruno P. Kinoshita
        4. markup-formatter-1.8.png
          28 kB
          Andrew Potter
        5. markup-formatter-2.0.png
          28 kB
          Andrew Potter
        6. parameter-config.png
          267 kB
          Andrew Potter

          Activity

          Hide
          apottere Andrew Potter added a comment -

          Bruno P. Kinoshita can you try running the following in your script console?

           

          import jenkins.model.Jenkins
          import hudson.markup.RawHtmlMarkupFormatter
          
          println("Markup Formatter Version: " + Jenkins.get().getPlugin("antisamy-markup-formatter").getWrapper().getVersion())
          println("Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate('<input type="text" name="value" value="bar" />')}'")
          

           

          That gives the following result on my test instance:

           

          Markup Formatter Version: 2.0
          Formatted: ''
          

          And when I downgrade the plugins:

           

           

          Markup Formatter Version: 1.8
          Formatted: '<input type="text" name="value" value="bar">'
          

           

          AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line: https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174

          Show
          apottere Andrew Potter added a comment - Bruno P. Kinoshita can you try running the following in your script console?   import jenkins.model.Jenkins import hudson.markup.RawHtmlMarkupFormatter println( "Markup Formatter Version: " + Jenkins.get().getPlugin( "antisamy-markup-formatter" ).getWrapper().getVersion()) println( "Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate(' <input type=" text " name=" value " value=" bar " /> ')}' " )   That gives the following result on my test instance:   Markup Formatter Version: 2.0 Formatted: '' And when I downgrade the plugins:     Markup Formatter Version: 1.8 Formatted: '<input type= "text" name= "value" value= "bar" >'   AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line:  https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174
          Hide
          kinow Bruno P. Kinoshita added a comment -

          That's interesting. I got

          Result
          
          Markup Formatter Version: 2.0
          Formatted: ''
          

          I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs).

          Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead.

          Things that I am concerned when reviewing the PR:

          1. need to properly reproduce the issue before merging and releasing it
          2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid.
          3. update docs about it

          Cheers
          Bruno

          Show
          kinow Bruno P. Kinoshita added a comment - That's interesting. I got Result Markup Formatter Version: 2.0 Formatted: '' I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs). Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead. Things that I am concerned when reviewing the PR: 1. need to properly reproduce the issue before merging and releasing it 2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid. 3. update docs about it Cheers Bruno
          Hide
          apottere Andrew Potter added a comment -

          Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox?  It only uses the markup sanitization when the groovy sandbox is used.  I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215

          Show
          apottere Andrew Potter added a comment - Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox?  It only uses the markup sanitization when the groovy sandbox is used.  I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue:  https://github.com/apottere/JENKINS-62215
          Hide
          kinow Bruno P. Kinoshita added a comment -

          Fixed in 2.4. Thanks Andrew Potter

          Show
          kinow Bruno P. Kinoshita added a comment - Fixed in 2.4. Thanks Andrew Potter
          Hide
          kinow Bruno P. Kinoshita added a comment -

          In 2.4

          Show
          kinow Bruno P. Kinoshita added a comment - In 2.4

            People

            Assignee:
            kinow Bruno P. Kinoshita
            Reporter:
            apottere Andrew Potter
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: