Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71695

Use jenkins.util.xml.XMLUtils for parsing XMLs

XMLWordPrintable

      Since SECURITY-2204 Config File provider explicitly sets XML Constants to prevent XXE attacks. Config File Provider should use jenkins.util.xml.XMLUtils as mentioned in the TODO when SECURITY-2204 was resolved.

      In some older environment the XML Constants are not supported. For example see the following - which I think happen if there is a an old implementation of jaxp in the classpath < 1.5 according to https://bugs.openjdk.org/browse/JDK-8016153:

      FATAL: [ERROR] could not insert credentials into the settings file [GlobalMavenSettingsConfig: id=my-settings, name=my-settings, providerId=org.jenkinsci.plugins.configfiles.maven.GlobalMavenSettingsConfig]
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
	at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source)
	at org.jenkinsci.plugins.configfiles.maven.security.CredentialsHelper.fillAuthentication(CredentialsHelper.java:123)
	at org.jenkinsci.plugins.configfiles.maven.AbstractMavenSettingsProvider.supplyContent(AbstractMavenSettingsProvider.java:75)
Caused: java.io.IOException: [ERROR] could not insert credentials into the settings file [GlobalMavenSettingsConfig: id=my-settings, name=my-settings, providerId=org.jenkinsci.plugins.configfiles.maven.GlobalMavenSettingsConfig]
	at org.jenkinsci.plugins.configfiles.maven.AbstractMavenSettingsProvider.supplyContent(AbstractMavenSettingsProvider.java:77)
	at org.jenkinsci.lib.configprovider.model.ConfigFileManager.provisionConfigFile(ConfigFileManager.java:107)
	at org.jenkinsci.plugins.configfiles.buildwrapper.ManagedFileUtil.provisionConfigFiles(ManagedFileUtil.java:82)
	at org.jenkinsci.plugins.configfiles.buildwrapper.ConfigFileBuildWrapper.setUp(ConfigFileBuildWrapper.java:61)
	at jenkins.tasks.SimpleBuildWrapper.setUp(SimpleBuildWrapper.java:294)
	at hudson.model.Build$BuildExecution.doRun(Build.java:157)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:514)
	at hudson.model.Run.execute(Run.java:1888)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:99)
	at hudson.model.Executor.run(Executor.java:432)

      Which is how I noticed this TODO task.

      The solution in those cases is to find the source of the old library, for example following https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/troubleshooting-guides/what-plugin-is-providing-this-class

            allan_burdajewicz Allan BURDAJEWICZ
            allan_burdajewicz Allan BURDAJEWICZ
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: