Stack Overflow with Plugin "Authorize Project 1.7.2" on Jenkins 2.473

XMLWordPrintable

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Major
    • Component/s: authorize-project-plugin
    • None
    • Environment:
      authorize-project-plugin 1.7.2
      Jenkins 2.473
      Debian 12

      On Jenkins 2.472 all works well.

      After upgrade to Jenkins 2.473, on startup I get a StackOverflow when loading jenkins.security.QueueItemAuthenticatorConfiguration.xml:

      Downgrading to 2.472 clears the problem. Re-upgrade to 2.473 brings back the problem.

      Failing to load jenkins.security.QueueItemAuthenticatorConfiguration.xml makes the queuing system non-operational.

      Here is part of the stacktrace:

      2024-08-23 12:05:55.355+0000 [id=14]    WARNING hudson.model.Descriptor#load: Failed to load /var/lib/jenkins/jenkins.security.QueueItemAuthenticatorConfigurati
      on.xml
      com.thoughtworks.xstream.security.InputManipulationException: Possible Dneial of Service attack by Stack Overflow
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1466)
              at hudson.util.XStream2.unmarshal(XStream2.java:230)
              at hudson.util.XStream2.unmarshal(XStream2.java:201)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1441)
              at hudson.XmlFile.unmarshal(XmlFile.java:196)
              at hudson.XmlFile.unmarshal(XmlFile.java:179)
              at hudson.model.Descriptor.load(Descriptor.java:937)
              at jdk.internal.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:637)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
              at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
              at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:448)
              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
              at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1148)
              at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:406)
              at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:397)
              at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:353)
              at hudson.ExtensionList.load(ExtensionList.java:384)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.getComponents(ExtensionList.java:184)
              at hudson.DescriptorExtensionList.load(DescriptorExtensionList.java:213)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.iterator(ExtensionList.java:172)
              at hudson.ExtensionList.getInstance(ExtensionList.java:162)
              at jenkins.security.QueueItemAuthenticatorConfiguration.get(QueueItemAuthenticatorConfiguration.java:60)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.getConfigured(ProjectQueueItemAuthenticator.java:212)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.isConfigured(ProjectQueueItemAuthenticator.java:224)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.checkUnsecuredConfiguration(AuthorizeProjectStrategy.java:177)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.readResolve(AuthorizeProjectStrategy.java:167)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy.readResolve(SpecificUsersAuthorizationStrategy.java:250)
              at jdk.internal.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at com.thoughtworks.xstream.core.util.SerializationMembers.callReadResolve(SerializationMembers.java:78)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:290)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:454)
              at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:350)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:289)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:132)
              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:117)
              at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:203)
              at hudson.util.DescribableList$ConverterImpl.unmarshal(DescribableList.java:284)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:454)
              at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:350)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:289)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:136)
              at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1464)
              at hudson.util.XStream2.unmarshal(XStream2.java:230)
              at hudson.util.XStream2.unmarshal(XStream2.java:201)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1441)
              at hudson.XmlFile.unmarshal(XmlFile.java:196)
              at hudson.XmlFile.unmarshal(XmlFile.java:179)
              at hudson.model.Descriptor.load(Descriptor.java:937)
              at jdk.internal.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:637)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
              at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
              at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:448)
              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
              at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1148)
              at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:406)
              at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:397)
              at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:353)
              at hudson.ExtensionList.load(ExtensionList.java:384)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.getComponents(ExtensionList.java:184)
              at hudson.DescriptorExtensionList.load(DescriptorExtensionList.java:213)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.iterator(ExtensionList.java:172)
              at hudson.ExtensionList.getInstance(ExtensionList.java:162)
              at jenkins.security.QueueItemAuthenticatorConfiguration.get(QueueItemAuthenticatorConfiguration.java:60)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.getConfigured(ProjectQueueItemAuthenticator.java:212)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.isConfigured(ProjectQueueItemAuthenticator.java:224)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.checkUnsecuredConfiguration(AuthorizeProjectStrategy.java:177)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.readResolve(AuthorizeProjectStrategy.java:167)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy.readResolve(SpecificUsersAuthorizationStrategy.java:250)

      .....

            Assignee:
            Unassigned
            Reporter:
            Florin Vancea
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: