Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73679

Stack Overflow with Plugin "Authorize Project 1.7.2" on Jenkins 2.473

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • authorize-project-plugin 1.7.2
      Jenkins 2.473
      Debian 12

      On Jenkins 2.472 all works well.

      After upgrade to Jenkins 2.473, on startup I get a StackOverflow when loading jenkins.security.QueueItemAuthenticatorConfiguration.xml:

      Downgrading to 2.472 clears the problem. Re-upgrade to 2.473 brings back the problem.

      Failing to load jenkins.security.QueueItemAuthenticatorConfiguration.xml makes the queuing system non-operational.

      Here is part of the stacktrace:

      2024-08-23 12:05:55.355+0000 [id=14]    WARNING hudson.model.Descriptor#load: Failed to load /var/lib/jenkins/jenkins.security.QueueItemAuthenticatorConfigurati
      on.xml
      com.thoughtworks.xstream.security.InputManipulationException: Possible Dneial of Service attack by Stack Overflow
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1466)
              at hudson.util.XStream2.unmarshal(XStream2.java:230)
              at hudson.util.XStream2.unmarshal(XStream2.java:201)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1441)
              at hudson.XmlFile.unmarshal(XmlFile.java:196)
              at hudson.XmlFile.unmarshal(XmlFile.java:179)
              at hudson.model.Descriptor.load(Descriptor.java:937)
              at jdk.internal.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:637)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
              at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
              at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:448)
              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
              at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1148)
              at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:406)
              at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:397)
              at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:353)
              at hudson.ExtensionList.load(ExtensionList.java:384)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.getComponents(ExtensionList.java:184)
              at hudson.DescriptorExtensionList.load(DescriptorExtensionList.java:213)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.iterator(ExtensionList.java:172)
              at hudson.ExtensionList.getInstance(ExtensionList.java:162)
              at jenkins.security.QueueItemAuthenticatorConfiguration.get(QueueItemAuthenticatorConfiguration.java:60)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.getConfigured(ProjectQueueItemAuthenticator.java:212)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.isConfigured(ProjectQueueItemAuthenticator.java:224)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.checkUnsecuredConfiguration(AuthorizeProjectStrategy.java:177)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.readResolve(AuthorizeProjectStrategy.java:167)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy.readResolve(SpecificUsersAuthorizationStrategy.java:250)
              at jdk.internal.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at com.thoughtworks.xstream.core.util.SerializationMembers.callReadResolve(SerializationMembers.java:78)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:290)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:454)
              at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:350)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:289)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readBareItem(AbstractCollectionConverter.java:132)
              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:117)
              at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:203)
              at hudson.util.DescribableList$ConverterImpl.unmarshal(DescribableList.java:284)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:454)
              at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:350)
              at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:289)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:74)
              at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:68)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:52)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:136)
              at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1464)
              at hudson.util.XStream2.unmarshal(XStream2.java:230)
              at hudson.util.XStream2.unmarshal(XStream2.java:201)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1441)
              at hudson.XmlFile.unmarshal(XmlFile.java:196)
              at hudson.XmlFile.unmarshal(XmlFile.java:179)
              at hudson.model.Descriptor.load(Descriptor.java:937)
              at jdk.internal.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:569)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:637)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
              at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
              at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:448)
              at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
              at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1148)
              at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:406)
              at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:397)
              at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:353)
              at hudson.ExtensionList.load(ExtensionList.java:384)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.getComponents(ExtensionList.java:184)
              at hudson.DescriptorExtensionList.load(DescriptorExtensionList.java:213)
              at hudson.ExtensionList.ensureLoaded(ExtensionList.java:320)
              at hudson.ExtensionList.iterator(ExtensionList.java:172)
              at hudson.ExtensionList.getInstance(ExtensionList.java:162)
              at jenkins.security.QueueItemAuthenticatorConfiguration.get(QueueItemAuthenticatorConfiguration.java:60)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.getConfigured(ProjectQueueItemAuthenticator.java:212)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.ProjectQueueItemAuthenticator.isConfigured(ProjectQueueItemAuthenticator.java:224)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.checkUnsecuredConfiguration(AuthorizeProjectStrategy.java:177)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy.readResolve(AuthorizeProjectStrategy.java:167)
              at PluginClassLoader for authorize-project//org.jenkinsci.plugins.authorizeproject.strategy.SpecificUsersAuthorizationStrategy.readResolve(SpecificUsersAuthorizationStrategy.java:250)

      .....

          [JENKINS-73679] Stack Overflow with Plugin "Authorize Project 1.7.2" on Jenkins 2.473

          Mark Waite added a comment -

          A CloudBees article suggests that the workaround is to remove that file.

          Mark Waite added a comment - A CloudBees article suggests that the workaround is to remove that file.

          Florin Vancea added a comment -

          Thank you Mark for looking into this issue.

          I suppose that deleting the XML file will practically disable the function of the plugin (authorization by project). This is a workaround for people who do not need that functionality and just got it accidentally configured.

          Florin Vancea added a comment - Thank you Mark for looking into this issue. I suppose that deleting the XML file will practically disable the function of the plugin (authorization by project). This is a workaround for people who do not need that functionality and just got it accidentally configured.

          Mark Waite added a comment -

          I suppose that deleting the XML file will practically disable the function of the plugin (authorization by project). This is a workaround for people who do not need that functionality and just got it accidentally configured.

          Yes, the user would need to reconfigure the authorize project settings after deleting that file. Unfortunately, I am the only maintainer of that plugin and I do not plan to investigate this issue further at this time. You're welcome to investigate the issue further, explore alternatives, and submit a pull request proposing a fix.

          Mark Waite added a comment - I suppose that deleting the XML file will practically disable the function of the plugin (authorization by project). This is a workaround for people who do not need that functionality and just got it accidentally configured. Yes, the user would need to reconfigure the authorize project settings after deleting that file. Unfortunately, I am the only maintainer of that plugin and I do not plan to investigate this issue further at this time. You're welcome to investigate the issue further, explore alternatives, and submit a pull request proposing a fix.

          Florin Vancea added a comment -

          Thank you, Mark!

          Florin Vancea added a comment - Thank you, Mark!

            Unassigned Unassigned
            florinvancea Florin Vancea
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: