search

jenkinsci / generic-webhook-trigger-plugin

Can receive any HTTP request, extract any values from JSON or XML and trigger a job with those values available as variables. Works with GitHub, GitLab, Bitbucket, Jira and many more.
https://plugins.jenkins.io/generic-webhook-trigger
404 stars 159 forks source link

causeString and redefinition of Cause#getShortDescription #228

Closed sephiroth-j closed 2 years ago

sephiroth-j commented 2 years ago

I'll start with a quote from the Jenkins website.

The Cause#getShortDescription method was defined to return a "one line" short snippet of HTML in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. To prevent further security vulnerabilities like SECURITY-2499 from having an impact on Jenkins users, the method has been redefined to return plain text in Jenkins 2.315 and LTS 2.303.2, and its output is no longer rendered as HTML on the UI.

https://www.jenkins.io/doc/developer/security/xss-prevention/Cause-getShortDescription/

It was possible to use HTML in causeString and e.g. add a nice link back to the source of the pull request. With the newer version of Jenkins the HTML is now displayed as plain text.

The question I am asking myself now is: is HTML in causeString intended or not? Because if it is, then it doesn`t work anymore. Otherwise, if it is not intended, the Jenkins security team asks to report it (see the linked web page).

tomasbjerre commented 2 years ago

Im not sure about intended or not. I have never used html in the cause, perhaps some users have.

Sounds to me like it should be reported.

tomasbjerre commented 2 years ago

I created SECURITY-2592. Closing this issue to keep any discussions in the Jira. Thanks for reporting!

tomasbjerre commented 2 years ago

released in 1.82