-
Task
-
Resolution: Unresolved
-
Minor
-
None
Since SECURITY-2204 Config File provider explicitly sets XML Constants to prevent XXE attacks. Config File Provider should use jenkins.util.xml.XMLUtils as mentioned in the TODO when SECURITY-2204 was resolved.
In some older environment the XML Constants are not supported. For example see the following - which I think happen if there is a an old implementation of jaxp in the classpath < 1.5 according to https://bugs.openjdk.org/browse/JDK-8016153:
FATAL: [ERROR] could not insert credentials into the settings file [GlobalMavenSettingsConfig: id=my-settings, name=my-settings, providerId=org.jenkinsci.plugins.configfiles.maven.GlobalMavenSettingsConfig]
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source)
at org.jenkinsci.plugins.configfiles.maven.security.CredentialsHelper.fillAuthentication(CredentialsHelper.java:123)
at org.jenkinsci.plugins.configfiles.maven.AbstractMavenSettingsProvider.supplyContent(AbstractMavenSettingsProvider.java:75)
Caused: java.io.IOException: [ERROR] could not insert credentials into the settings file [GlobalMavenSettingsConfig: id=my-settings, name=my-settings, providerId=org.jenkinsci.plugins.configfiles.maven.GlobalMavenSettingsConfig]
at org.jenkinsci.plugins.configfiles.maven.AbstractMavenSettingsProvider.supplyContent(AbstractMavenSettingsProvider.java:77)
at org.jenkinsci.lib.configprovider.model.ConfigFileManager.provisionConfigFile(ConfigFileManager.java:107)
at org.jenkinsci.plugins.configfiles.buildwrapper.ManagedFileUtil.provisionConfigFiles(ManagedFileUtil.java:82)
at org.jenkinsci.plugins.configfiles.buildwrapper.ConfigFileBuildWrapper.setUp(ConfigFileBuildWrapper.java:61)
at jenkins.tasks.SimpleBuildWrapper.setUp(SimpleBuildWrapper.java:294)
at hudson.model.Build$BuildExecution.doRun(Build.java:157)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:514)
at hudson.model.Run.execute(Run.java:1888)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:99)
at hudson.model.Executor.run(Executor.java:432)
Which is how I noticed this TODO task.
The solution in those cases is to find the source of the old library, for example following https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/troubleshooting-guides/what-plugin-is-providing-this-class
- links to