Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48625

Several git repo browser URL formats are not checked or documented

    Details

    • Similar Issues:

      Description

      When filling the "Configure Repository Browser" in a multibranch pipeline Git section, or in a regular freestyle job, the URL format is not specified nor hinted for the following browsers:

      • Assembla
      • Gitiles
      • ViewGitWeb
      • GitBlit

      According to Mark Waite, the FormValidation needs some update for this browsers - and some automated tests would help for the FormValidation implementations.

        Attachments

          Issue Links

            Activity

            Hide
            rishabhbudhouliya Rishabh Budhouliya added a comment -

            Mark Waite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.

            Show
            rishabhbudhouliya Rishabh Budhouliya added a comment - Mark Waite Hi, as mentioned by you earlier, there is a need to discuss the security threats related to the doCheck methods where on-the-fly validation needs an external connection. I hope we can discuss that issue here.
            Hide
            rishabhbudhouliya Rishabh Budhouliya added a comment -

            Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.

            Show
            rishabhbudhouliya Rishabh Budhouliya added a comment - Also, since browsers like Fisheye have implemented the doCheckURL method and are currently working, that might be a security concern as well.
            Hide
            markewaite Mark Waite added a comment - - edited

            Rishabh Budhouliya, I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed.

            That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.

            Show
            markewaite Mark Waite added a comment - - edited Rishabh Budhouliya , I had a conversation with Daniel Beck and Wadeck Follonier and they reminded me that the form validation developer documentation on jenkins.io describes the @POST annotation which is needed. That documentation also describes the permission check which is needed before accessing an external URL from the doCheck() method. The assumption is that if the user has permission to configure the job definition, then the external URL can be checked.
            Hide
            rishabhbudhouliya Rishabh Budhouliya added a comment -

            Mark Waite, thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check.
            Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`. 

            I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!

            Show
            rishabhbudhouliya Rishabh Budhouliya added a comment - Mark Waite , thanks. I have read this documentation and have implemented both @RequirePost annotation and the permission check. Last time we had a discussion that the scope of the permission check can be reduced from `Jenkins.getInstance().hasPermission()` to `Item.hasPermission()`.  I have implemented these suggestions, just finishing up the test cases and would raise a PR soon!
            Hide
            rishabhbudhouliya Rishabh Budhouliya added a comment -
            Show
            rishabhbudhouliya Rishabh Budhouliya added a comment - Fix for this issue:  https://github.com/jenkinsci/git-plugin/pull/841
            Hide
            markewaite Mark Waite added a comment -

            Released in git plugin 4.2.0 March 1, 2020

            Show
            markewaite Mark Waite added a comment - Released in git plugin 4.2.0 March 1, 2020

              People

              • Assignee:
                rishabhbudhouliya Rishabh Budhouliya
                Reporter:
                saucistophe Christophe Carpentier
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: