Note

While testing this plugin, evaluate whether the third-party libraries in src/main/webapp are compatible with CSP in restrictive mode. The plugin may need to be upgraded from jQuery 1.x to 3.x to fully function in CSP restrictive mode.

Problems

== Legacy checkUrl
Line: 8
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkClifReportDirectory?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 65
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkMinTimestamp?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 70
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkMaxTimestamp?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 83
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkKeepFactor?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 89
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkKeepPercentage?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 100
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkChartWidth?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 106
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkChartHeight?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 112
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkDistributionSliceSize?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 117
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkDistributionSliceNumber?value='+escape(this.value)"
----

== Legacy checkUrl
Line: 123
----
checkUrl="'${rootURL}/publisher/ClifPublisher/checkStatisticalPeriod?value='+escape(this.value)"
----

Solution

https://www.jenkins.io/doc/developer/security/csp/#legacy-javascript-checkurl-validation

Bruno Dillenseger added a comment - 2024-10-25 09:10

I applied changes recommended by the provided solution and successfully tested the plug-in.
As far as I know/checked, it does not use jQuery. So, may I assume the fix is OK, or what should I do if more investigations are needed?

Bruno Dillenseger added a comment - 2024-10-25 09:10 I applied changes recommended by the provided solution and successfully tested the plug-in. As far as I know/checked, it does not use jQuery. So, may I assume the fix is OK, or what should I do if more investigations are needed?

Basil Crow added a comment - 2024-10-25 14:41

dillense There is a call to eval on line 1432 of src/main/webapp/yui/utilities.js:

== (g)eval Call
File: ./src/main/webapp/yui/utilities.js
Line: 1432
----
 eval(
----

If reachable, this code will not work with CSP: https://www.jenkins.io/doc/developer/security/csp/#eval-calls

Looks like this code is in YUI, so you may need to upgrade or replace this library.

Basil Crow added a comment - 2024-10-25 14:41 dillense There is a call to eval on line 1432 of src/main/webapp/yui/utilities.js : == (g)eval Call File: ./src/main/webapp/yui/utilities.js Line: 1432 ---- eval( ---- If reachable, this code will not work with CSP: https://www.jenkins.io/doc/developer/security/csp/#eval-calls Looks like this code is in YUI, so you may need to upgrade or replace this library.

Assignee:: Bruno Dillenseger

Reporter:: Basil Crow

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024-10-24 00:14

Updated:: 2024-10-25 14:41

Jenkins

[clif-performance-testing] Migrate legacy checkUrl attributes in org/ow2/clif/jenkins/ClifPublisher/config.jelly

Note

Problems

Solution

[JENKINS-74592] [clif-performance-testing] Migrate legacy checkUrl attributes in org/ow2/clif/jenkins/ClifPublisher/config.jelly

Jenkins

Details

Description

Note

Problems

Solution

Attachments

Activity

[JENKINS-74592] [clif-performance-testing] Migrate legacy checkUrl attributes in org/ow2/clif/jenkins/ClifPublisher/config.jelly

Collapse comment: Bruno Dillenseger added a comment - 2024-10-25 09:10

Expand comment: Bruno Dillenseger added a comment - 2024-10-25 09:10

Collapse comment: Basil Crow added a comment - 2024-10-25 14:41

Expand comment: Basil Crow added a comment - 2024-10-25 14:41

People

Dates