[JENKINS-46911] createProjectFromXML not recognizing unsafe character '/'

[timja]

I used a fresh Docker LTS install.

If one uses the web interface to create a new job and puts '/' into the name of the job, this will result in an error message that '/' is an unsafe character to use. (This is good behaviour!)

When using Java API 'createProjectFromXML()' the name is not checked for a '/'

 

Following script approvals are needed to reproduce the bug:

method java.lang.String getBytes
method jenkins.model.ModifiableTopLevelItemGroup createProjectFromXML java.lang.String java.io.InputStream
new java.io.ByteArrayInputStream byte[]
staticMethod jenkins.model.Jenkins getInstance

Now create following Pipeline Job:

node('master') {
   def xmlFreestyle = '''


false


true
false
false
false

false



'''
   InputStream is = new ByteArrayInputStream(xmlFreestyle.getBytes())
   Jenkins.getInstance().createProjectFromXML('/aaa/bbb/ccc', is)
}

 

After running the job, a new job 'ccc' will be created.

In /var/jenkins_home/ there will be a directory ./jobs/ccc which contains 'builds' and 'nextBuildNumber'

config.xml will be saved in 

./jobs/aaa/bbb/ccc   (very bad behaviour, leading to data on disk which Jenkins doesn't know anything of)

After restart of jenkins, the job 'ccc' will be gone.

Only moving the config.xml from ./jobs/aaa/bbb/ccc to ./jobs/ccc will make the job reappear.

 

The problem here is that there is no error or exception when creating the job with 

Jenkins.getInstance().createProjectFromXML('/aaa/bbb/ccc'...)

The job 'ccc' even appears in the list of jobs. Only after restart of Jenkins the problem will show up.

 

Proposed solution: 

createProjectFromXML()

should throw an Exception if '/' is in the name.

---

Originally reported by dirkboye, imported from: createProjectFromXML not recognizing unsafe character '/'

• assignee: godfath3r
• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[timja]

danielbeck:

Seems like a legitimate issue, even though the internal API use in a pipeline script is not a great idea in general.

[timja]

godfath3r:

https://github.com/jenkinsci/jenkins/pull/3057 will fix this behavior. danielbeck or anyone else, please review.

[timja]

scm_issue_link:

Code changed in jenkins
User: godfath3r
Path:
core/src/main/java/hudson/model/ItemGroupMixIn.java
core/src/main/java/jenkins/model/Jenkins.java
test/src/test/java/hudson/model/ItemGroupMixInTest.java
test/src/test/java/jenkins/model/JenkinsTest.java
test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
http://jenkins-ci.org/commit/jenkins/ac2a1aaf895020bc80fd951ced748820975df6aa
Log:
JENKINS-46911 createProjectFromXML not recognizing unsafe character… (#3057)

• JENKINS-46911 createProjectFromXML not recognizing unsafe character '/'

• Better place for testCreateProjectCheckGoodName()

• Fix failed test

• Make changes suggested on PR review.

• Remove Failure exception, instead throw IOException. Add javadoc

• JENKINS-46911 - Add TODO according to the comment from @jtnord.

[timja]

scm_issue_link:

Code changed in jenkins
User: Oleg Nenashev
Path:
core/src/main/java/jenkins/model/Jenkins.java
http://jenkins-ci.org/commit/jenkins/180850d3633220c0e8a3949ff5086fe0b7acc420
Log:
JENKINS-46911 - Revert trimming of name in Jenkins#checkGoodName() introduced in #3057

[timja]

scm_issue_link:

Code changed in jenkins
User: Oleg Nenashev
Path:
core/src/main/java/hudson/model/ItemGroupMixIn.java
core/src/main/java/jenkins/model/Jenkins.java
test/src/test/java/hudson/model/ItemGroupMixInTest.java
test/src/test/java/jenkins/model/JenkinsTest.java
test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
http://jenkins-ci.org/commit/jenkins/b7c48a7a231dcd281f4fa96231ab70084f8a19b4
Log:
Revert "JENKINS-46911 createProjectFromXML not recognizing unsafe character… (#3057)"

This reverts commit ac2a1aaf895020bc80fd951ced748820975df6aa.

Compare: https://github.com/jenkinsci/jenkins/compare/cc9b1053ad27^...b7c48a7a231d