Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44010

Check nullability of getCrumbIssuer() on the Wizard

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Jenkins.getInstance().getCrumbIssuer() method could potentially be null and the Admin user creation page is not checking it.

       

      See the comment from Antonio Muñiz in https://github.com/jenkinsci/jenkins/commit/3c3977395633db0a2c9a29550e0249451fa97ba0#commitcomment-21985458

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            If you expect it to be backported, there should be much better description of the problem and the impact. As Jesse Glick said in another chat, this is probably a bad use-case

            Show
            oleg_nenashev Oleg Nenashev added a comment - If you expect it to be backported, there should be much better description of the problem and the impact. As Jesse Glick said in another chat, this is probably a bad use-case
            Hide
            jglick Jesse Glick added a comment -

            I do not propose this as an lts-candidate.

            Show
            jglick Jesse Glick added a comment - I do not propose this as an lts-candidate .
            Hide
            jglick Jesse Glick added a comment -

            Reproducible with difficulty:

            • start Jenkins on fresh home
            • log in as initial admin user
            • install custom plugins, click None and proceed
            • browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form
            • return to the dashboard, showing the setup wizard again
            • fill out admin user form and submit
            … org.eclipse.jetty.util.log.JavaUtilLog warn
            WARNING: Error while serving …/setupWizard/createAdminUser
            java.lang.reflect.InvocationTargetException
            	at …
            Caused by: java.lang.NullPointerException
            	at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257)
            	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
            	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
            	... 67 more
            
            Show
            jglick Jesse Glick added a comment - Reproducible with difficulty: start Jenkins on fresh home log in as initial admin user install custom plugins, click None and proceed browse to /configureSecurity/ and uncheck Prevent Cross Site Request Forgery exploits and Save the form return to the dashboard, showing the setup wizard again fill out admin user form and submit … org.eclipse.jetty.util.log.JavaUtilLog warn WARNING: Error while serving …/setupWizard/createAdminUser java.lang.reflect.InvocationTargetException at … Caused by: java.lang.NullPointerException at jenkins.install.SetupWizard.doCreateAdminUser(SetupWizard.java:257) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) ... 67 more
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2
            Log:
            [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/ae1fdc95a1d50df65a97447ff536d21cb2c5dba2 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt

            Show
            oleg_nenashev Oleg Nenashev added a comment - I have added the "lts-candidate" flag, because the fix is trivial enough && extra annotations never hurt
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606
            Log:
            [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running.

            (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/543d184004e175da1efca68d9769eaa838763606 Log: [FIXED JENKINS-44010] It is possible for Jenkins.crumbIssuer to be unset while the setup wizard is running. (cherry picked from commit ae1fdc95a1d50df65a97447ff536d21cb2c5dba2)

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                alobato Alvaro Lobato
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: