[JENKINS-71953] Affected by recent security change in credentials-binding plugin (version 631.v861c06d062b_4)

Type: Bug
Resolution: Won't Fix
Priority: Critical
Component/s: xunit-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

It seems this plugin is another one affected by https://issues.jenkins.io/browse/SECURITY-3075 and introduced code from here.

The stacktrace looks like:

Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: fbec7ad4-2400-4b63-a464-a8e921be0fb3
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
	at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
	at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(MaskingConsoleLogFilter.java:43)
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
	at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
	at java.base/java.io.PrintStream.write(PrintStream.java:559)
	at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:233)
	at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:312)
	at java.base/sun.nio.cs.StreamEncoder.flushBuffer(StreamEncoder.java:104)
	at java.base/java.io.OutputStreamWriter.flushBuffer(OutputStreamWriter.java:181)
	at java.base/java.io.PrintStream.newLine(PrintStream.java:625)
	at java.base/java.io.PrintStream.println(PrintStream.java:883)
	at org.jenkinsci.plugins.xunit.service.XUnitLog.info(XUnitLog.java:49)
	at org.jenkinsci.plugins.xunit.service.XUnitReportProcessorService.findReports(XUnitReportProcessorService.java:81)
	at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:85)
	at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:38)
	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3578)
	at hudson.remoting.UserRequest.perform(UserRequest.java:211)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:377)
	at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:125)
	at java.base/java.lang.Thread.run(Thread.java:829)

The version "604.vb_64480b_c56ca_" of credentials-binding plugin works fine with xUnit, however "631.v861c06d062b_4" produces above exception.

Feel free to lower the priority if there is a work-around (unknown for me at this time)

Pavel Janoušek created issue - 2023-09-01 14:29

Pavel Janoušek made changes - 2023-09-01 14:31

Description

Original: It seems this plugin is another one affected by https://issues.jenkins.io/browse/SECURITY-3075 and introduced code from [here|https://github.com/jenkinsci/credentials-binding-plugin/commit/4ea6669a56f5a122a5e16443fd1a09ad5795ade0#diff-87bbb88a8a89708adea34248210c1c2de4fcb968ea7ab61b87548cadf4d82248R60].

The stacktrace looks like:
{code:java}
Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: fbec7ad4-2400-4b63-a464-a8e921be0fb3
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(MaskingConsoleLogFilter.java:43)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
at java.base/java.io.PrintStream.write(PrintStream.java:559)
at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:233)
at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:312)
at java.base/sun.nio.cs.StreamEncoder.flushBuffer(StreamEncoder.java:104)
at java.base/java.io.OutputStreamWriter.flushBuffer(OutputStreamWriter.java:181)
at java.base/java.io.PrintStream.newLine(PrintStream.java:625)
at java.base/java.io.PrintStream.println(PrintStream.java:883)
at org.jenkinsci.plugins.xunit.service.XUnitLog.info(XUnitLog.java:49)
at org.jenkinsci.plugins.xunit.service.XUnitReportProcessorService.findReports(XUnitReportProcessorService.java:81)
at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:85)
at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:38)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3578)
at hudson.remoting.UserRequest.perform(UserRequest.java:211)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:377)
at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:125)
at java.base/java.lang.Thread.run(Thread.java:829)
{code}
The version "604.vb_64480b_c56ca_" of credentials-binding plgin works fine with xUnit, however "631.v861c06d062b_4" produces above exception.

Feel free to lower the priority if there is a work-around (unknown for me at this time)

New: It seems this plugin is another one affected by https://issues.jenkins.io/browse/SECURITY-3075 and introduced code from [here|https://github.com/jenkinsci/credentials-binding-plugin/commit/4ea6669a56f5a122a5e16443fd1a09ad5795ade0#diff-87bbb88a8a89708adea34248210c1c2de4fcb968ea7ab61b87548cadf4d82248R60].

The stacktrace looks like:
{code:java}
Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: fbec7ad4-2400-4b63-a464-a8e921be0fb3
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(MaskingConsoleLogFilter.java:43)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
at java.base/java.io.PrintStream.write(PrintStream.java:559)
at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:233)
at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:312)
at java.base/sun.nio.cs.StreamEncoder.flushBuffer(StreamEncoder.java:104)
at java.base/java.io.OutputStreamWriter.flushBuffer(OutputStreamWriter.java:181)
at java.base/java.io.PrintStream.newLine(PrintStream.java:625)
at java.base/java.io.PrintStream.println(PrintStream.java:883)
at org.jenkinsci.plugins.xunit.service.XUnitLog.info(XUnitLog.java:49)
at org.jenkinsci.plugins.xunit.service.XUnitReportProcessorService.findReports(XUnitReportProcessorService.java:81)
at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:85)
at org.jenkinsci.plugins.xunit.service.XUnitTransformerCallable.invoke(XUnitTransformerCallable.java:38)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3578)
at hudson.remoting.UserRequest.perform(UserRequest.java:211)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:377)
at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:125)
at java.base/java.lang.Thread.run(Thread.java:829)
{code}
The version "604.vb_64480b_c56ca_" of {{credentials-binding}} plugin works fine with {{{}xUnit{}}}, however "631.v861c06d062b_4" produces above exception.

Feel free to lower the priority if there is a work-around (unknown for me at this time)

Nikolas Falco made changes - 2023-09-02 19:04

Resolution		New: Won't Fix [ 2 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]

Jenkins

Details

Description

Attachments

Activity

People

Dates