Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62215

antisamy-markup-formatter-plugin v2.0 filters input fields from uno-choice plugin

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      With Active Choices and OWASP Markup Formatter Plugin v2.0 installed, "input" elements are being stripped from "Formatted HTML" parameters.  This is not an issue with OWASP Markup Formatter Plugin v1.8.  Since this is one of the main use-cases of the Active Choices plugin, I assume this is a bug.  There also doesn't seem to be a way to configure the markup formatter that the Active Choices plugin uses.

       

      Attached are screenshots of the parameter config, the working "input" field with v1.8, and the missing input field with v2.0.

        Attachments

        1. bruno-screenshot-1.png
          bruno-screenshot-1.png
          66 kB
        2. bruno-screenshot-2.png
          bruno-screenshot-2.png
          127 kB
        3. bruno-screenshot-3.png
          bruno-screenshot-3.png
          93 kB
        4. markup-formatter-1.8.png
          markup-formatter-1.8.png
          28 kB
        5. markup-formatter-2.0.png
          markup-formatter-2.0.png
          28 kB
        6. parameter-config.png
          parameter-config.png
          267 kB

          Activity

          Hide
          kinow Bruno P. Kinoshita added a comment -

          Thanks for the report and for the taking your time to provide detailed description and screenshots.

          We were preparing a release for the next days (waiting till pending pull request gets reviewed/tested by other maintainers). I will try to include some time to take a look and try to reproduce/fix this one.

          Bruno

          Show
          kinow Bruno P. Kinoshita added a comment - Thanks for the report and for the taking your time to provide detailed description and screenshots. We were preparing a release for the next days (waiting till pending pull request gets reviewed/tested by other maintainers). I will try to include some time to take a look and try to reproduce/fix this one. Bruno
          Hide
          ioannis Ioannis Moutsatsos added a comment -

          Andrew Potter first I would upgrade Active Choices to the latest release.

           

          I have used antisamy-markup-formatter v2.0 successfully with Active Choices v2.2.3 on Jenkins LTS v2.222.1

          Please, make sure that in Jenkins 'Configure Global Security' the Markup Formatter option is set to 'Safe HTML' Hope this helps.

          Show
          ioannis Ioannis Moutsatsos added a comment - Andrew Potter first I would upgrade Active Choices to the latest release.   I have used antisamy-markup-formatter v2.0 successfully with Active Choices v2.2.3 on Jenkins LTS v2.222.1 Please, make sure that in Jenkins 'Configure Global Security' the Markup Formatter option is set to 'Safe HTML' Hope this helps.
          Hide
          apottere Andrew Potter added a comment - - edited

          Ioannis Moutsatsos The issue occurs whether the Markup Formatter option is set to Plain Text or Safe HTML.

           

          I wasn't able to find version 2.2.3 of the Active choices plugin, either in GitHub Releases (https://github.com/jenkinsci/active-choices-plugin/releases) or the update site (https://updates.jenkins.io/download/plugins/uno-choice/).  From the README (https://github.com/jenkinsci/active-choices-plugin#version-23-2020) it looks like 2.3 is the next pending version.

          Show
          apottere Andrew Potter added a comment - - edited Ioannis Moutsatsos The issue occurs whether the Markup Formatter option is set to Plain Text or Safe HTML .   I wasn't able to find version 2.2.3 of the Active choices plugin, either in GitHub Releases ( https://github.com/jenkinsci/active-choices-plugin/releases)  or the update site ( https://updates.jenkins.io/download/plugins/uno-choice/) .  From the README ( https://github.com/jenkinsci/active-choices-plugin#version-23-2020 ) it looks like 2.3 is the next pending version.
          Hide
          ioannis Ioannis Moutsatsos added a comment -

          Andrew Potter It's possible that I have an intermediate AC snapshot as I usually do some testing before final release. Nonetheless, I seriously doubt that the issue will turn out to be active choices itself. You seem to have isolated the issue to the antisamy-markup-formatter-plugin v2.0, but all I'm saying is that this version works for me and my (rather permissive Jenkins instance)

          I use the following Jenkins startup parameters that you may also want to test. I suspect that the CustomJellyContext may be of special interest here

          -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false"
          Show
          ioannis Ioannis Moutsatsos added a comment - Andrew Potter It's possible that I have an intermediate AC snapshot as I usually do some testing before final release. Nonetheless, I seriously doubt that the issue will turn out to be active choices itself. You seem to have isolated the issue to the antisamy-markup-formatter-plugin v2.0, but all I'm saying is that this version works for me and my (rather permissive Jenkins instance) I use the following Jenkins startup parameters that you may also want to test. I suspect that the CustomJellyContext may be of special interest here -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault= " false "
          Hide
          apottere Andrew Potter added a comment -

          Ioannis Moutsatsos sorry, must have missed the email for your comment.  I created a git repo with a run script, the current versions of both plugins, and the java opts you specify.  When I run it, the input field is not displayed.

           

          https://github.com/apottere/JENKINS-62215

           

          I also included ".bak" versions of both plugins, which are the older (working) versions.  Let me know if you get different results.

          Show
          apottere Andrew Potter added a comment - Ioannis Moutsatsos sorry, must have missed the email for your comment.  I created a git repo with a run script, the current versions of both plugins, and the java opts you specify.  When I run it, the input field is not displayed.   https://github.com/apottere/JENKINS-62215   I also included ".bak" versions of both plugins, which are the older (working) versions.  Let me know if you get different results.
          Hide
          apottere Andrew Potter added a comment -

          It looks like this was an intentional change in the markup-formatter plugin: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/12

          It really seems like there's no way you should be able to see `input` fields with any version of the Active Choices plugin after that markup formatter update.  Either this issue should be fixed or the docs for Active Choices should be updated to make it clear that using form fields is no longer an option with the groovy sandbox (and the corresponding sanitation).

          Show
          apottere Andrew Potter added a comment - It looks like this was an intentional change in the markup-formatter plugin:  https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/12 It really seems like there's no way you should be able to see `input` fields with any version of the Active Choices plugin after that markup formatter update.  Either this issue should be fixed or the docs for Active Choices should be updated to make it clear that using form fields is no longer an option with the groovy sandbox (and the corresponding sanitation).
          Hide
          kinow Bruno P. Kinoshita added a comment -

          That's funny Andrew Potter, I'm using the `master` branch of the git repo, and `mvn clean install` then `mvn hpi:run`. Trying to reproduce the issue before switching the branch to your PR, but no luck.

          But no matter what I try, it still renders the input fine for me?

          Any idea what I could be missing? The plugin integration was a contribution after we were blocked by Jenkins security, and it "just worked", so I never bothered digging deeper to understand how everything works. So I may be missing some important step?

          Thanks
          Bruno

          Show
          kinow Bruno P. Kinoshita added a comment - That's funny Andrew Potter , I'm using the `master` branch of the git repo, and `mvn clean install` then `mvn hpi:run`. Trying to reproduce the issue before switching the branch to your PR, but no luck. But no matter what I try, it still renders the input fine for me? Any idea what I could be missing? The plugin integration was a contribution after we were blocked by Jenkins security, and it "just worked", so I never bothered digging deeper to understand how everything works. So I may be missing some important step? Thanks Bruno
          Hide
          apottere Andrew Potter added a comment -

          Bruno P. Kinoshita can you try running the following in your script console?

           

          import jenkins.model.Jenkins
          import hudson.markup.RawHtmlMarkupFormatter
          
          println("Markup Formatter Version: " + Jenkins.get().getPlugin("antisamy-markup-formatter").getWrapper().getVersion())
          println("Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate('<input type="text" name="value" value="bar" />')}'")
          

           

          That gives the following result on my test instance:

           

          Markup Formatter Version: 2.0
          Formatted: ''
          

          And when I downgrade the plugins:

           

           

          Markup Formatter Version: 1.8
          Formatted: '<input type="text" name="value" value="bar">'
          

           

          AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line: https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174

          Show
          apottere Andrew Potter added a comment - Bruno P. Kinoshita can you try running the following in your script console?   import jenkins.model.Jenkins import hudson.markup.RawHtmlMarkupFormatter println( "Markup Formatter Version: " + Jenkins.get().getPlugin( "antisamy-markup-formatter" ).getWrapper().getVersion()) println( "Formatted: '${RawHtmlMarkupFormatter.INSTANCE.translate(' <input type=" text " name=" value " value=" bar " /> ')}' " )   That gives the following result on my test instance:   Markup Formatter Version: 2.0 Formatted: '' And when I downgrade the plugins:     Markup Formatter Version: 1.8 Formatted: '<input type= "text" name= "value" value= "bar" >'   AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line:  https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174
          Hide
          kinow Bruno P. Kinoshita added a comment -

          That's interesting. I got

          Result
          
          Markup Formatter Version: 2.0
          Formatted: ''
          

          I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs).

          Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead.

          Things that I am concerned when reviewing the PR:

          1. need to properly reproduce the issue before merging and releasing it
          2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid.
          3. update docs about it

          Cheers
          Bruno

          Show
          kinow Bruno P. Kinoshita added a comment - That's interesting. I got Result Markup Formatter Version: 2.0 Formatted: '' I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs). Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead. Things that I am concerned when reviewing the PR: 1. need to properly reproduce the issue before merging and releasing it 2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid. 3. update docs about it Cheers Bruno
          Hide
          apottere Andrew Potter added a comment -

          Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox?  It only uses the markup sanitization when the groovy sandbox is used.  I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215

          Show
          apottere Andrew Potter added a comment - Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox?  It only uses the markup sanitization when the groovy sandbox is used.  I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue:  https://github.com/apottere/JENKINS-62215
          Hide
          kinow Bruno P. Kinoshita added a comment -

          Fixed in 2.4. Thanks Andrew Potter

          Show
          kinow Bruno P. Kinoshita added a comment - Fixed in 2.4. Thanks Andrew Potter
          Hide
          kinow Bruno P. Kinoshita added a comment -

          In 2.4

          Show
          kinow Bruno P. Kinoshita added a comment - In 2.4

            People

            Assignee:
            kinow Bruno P. Kinoshita
            Reporter:
            apottere Andrew Potter
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: