[JIRA] (JENKINS-48625) Several git repo browser URL formats are not checked or documented

rishabhbudhouliya+jenkins@gmail.com (JIRA)

unread,

Jan 30, 2020, 11:10:02 AM1/30/20

to jenkinsc...@googlegroups.com

Rishabh Budhouliya assigned an issue to Rishabh Budhouliya

Jenkins /

JENKINS-48625

Several git repo browser URL formats are not checked or documented

Change By:	Rishabh Budhouliya
Assignee:	Rishabh Budhouliya

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

rishabhbudhouliya+jenkins@gmail.com (JIRA)

unread,

Jan 30, 2020, 11:12:04 AM1/30/20

to jenkinsc...@googlegroups.com

Rishabh Budhouliya commented on

JENKINS-48625

Re: Several git repo browser URL formats are not checked or documented

Mark Waite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

Add Comment

rishabhbudhouliya+jenkins@gmail.com (JIRA)

unread,

Jan 30, 2020, 11:46:02 AM1/30/20

to jenkinsc...@googlegroups.com

Rishabh Budhouliya commented on

JENKINS-48625

Re: Several git repo browser URL formats are not checked or documented

Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.

Add Comment

rishabhbudhouliya+jenkins@gmail.com (JIRA)

unread,

Feb 3, 2020, 8:29:04 AM2/3/20

to jenkinsc...@googlegroups.com

Rishabh Budhouliya started work on

JENKINS-48625

Change By:	Rishabh Budhouliya
Status:	Open In Progress

Add Comment

mark.earl.waite@gmail.com (JIRA)

unread,

Feb 19, 2020, 10:17:03 AM2/19/20

to jenkinsc...@googlegroups.com

Mark Waite commented on

JENKINS-48625

Re: Several git repo browser URL formats are not checked or documented

Rishabh Budhouliya Daniel Beck and Wadeck Follonier reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed.

That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

Add Comment

mark.earl.waite@gmail.com (JIRA)

unread,

Feb 19, 2020, 10:52:05 AM2/19/20

to jenkinsc...@googlegroups.com

Mark Waite edited a comment on

JENKINS-48625

Re: Several git repo browser URL formats are not checked or documented

[~rishabhbudhouliya] , I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the [form validation developer documentation on jenkins.io|https://jenkins.io/doc/developer/security/form-validation/] describes the {{@POST}} annotation which is needed.

That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

Add Comment

rishabhbudhouliya+jenkins@gmail.com (JIRA)

unread,

Feb 19, 2020, 11:49:04 AM2/19/20

to jenkinsc...@googlegroups.com

Rishabh Budhouliya commented on

JENKINS-48625

Re: Several git repo browser URL formats are not checked or documented

Mark Waite, thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check.
Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`.

I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!