Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54051

GitHub-Branch-Source plugin 2.3.5 Security Update causing error in adding GitHub Enterprise Servers

    Details

    • Similar Issues:

      Description

      Version 2.3.5 of the GitHub-Branch-Source Plugin introduced a bug that is causing an error to be displayed when trying to add GitHub Enterprise Servers within `Manage Jenkins-> Configure System -> GitHub Enterprise Servers` "This URL Requires POST" as the new security patch in 2.3.5 is background checking valid URLs. This error displays whether the `API endpoint` field is blank or has a valid endpoint specified.

      Downgrading to version 2.3.4 of the GitHub-Branch-Source Plugin no longer displays the error.

      Picture is attached showing the error.

        Attachments

          Issue Links

            Activity

            Hide
            ba_magna Bosse Arndt added a comment -

            Hi,

            is there a workaround available for this issue?

            At the mentioned URL there was proposed to downgrade the versions of git, github and git-branch plugin. Is it fixing the issue?

            Best regards
            Bosse

            Show
            ba_magna Bosse Arndt added a comment - Hi, is there a workaround available for this issue? At the mentioned URL there was proposed to downgrade the versions of git, github and git-branch plugin. Is it fixing the issue? Best regards Bosse
            Hide
            pjdarton pjdarton added a comment - - edited

            Bosse Arndt FYI the workaround is to "just ignore it" :-/

            These form-validation errors (should) have no functional impact on how the plugin works once configured - they only affect the cosmetic appearance of the configuration UI.  As long as you enter in the correct configuration information, you can ignore the error.  All that's missing is the dynamic form validation functionality - the rest of the plugin should work just fine.

            If you need the assistance that the form-validation code provides then you could downgrade the plugin, work out what configuration you need, and then upgrade again.  You could even install Jenkins in a VM with an earlier version of the plugin purely to experiment with configuration options before putting in the "known correct" values into your main Jenkins server(s), which would allow you to keep the insecure versions out of your main Jenkins server(s).

            TL;DR: It's ugly as hell (and should've been fixed as part of the security changes that caused it), but it's not serious.

             

            edit#2 The changes are now merged, so you could download the bleeding-edge plugin built by the Jenkins CI build https://ci.jenkins.io/job/Plugins/job/github-branch-source-plugin/job/master/lastSuccessfulBuild/artifact/target/ by downloading the .hpi file and then using the "advanced" section of the Jenkins plugin page to upload that.  That should keep you going until the next version is officially released.

            Show
            pjdarton pjdarton added a comment - - edited Bosse Arndt FYI the workaround is to "just ignore it" :-/ These form-validation errors (should) have no functional impact on how the plugin works once configured - they only affect the cosmetic appearance of the configuration UI.  As long as you enter in the correct configuration information, you can ignore the error.  All that's missing is the dynamic form validation functionality - the rest of the plugin should work just fine. If you need the assistance that the form-validation code provides then you could downgrade the plugin, work out what configuration you need, and then upgrade again.  You could even install Jenkins in a VM with an earlier version of the plugin purely to experiment with configuration options before putting in the "known correct" values into your main Jenkins server(s), which would allow you to keep the insecure versions out of your main Jenkins server(s). TL;DR: It's ugly as hell (and should've been fixed as part of the security changes that caused it), but it's not serious.   edit#2 The changes are now merged, so you could download the bleeding-edge plugin built by the Jenkins CI build https://ci.jenkins.io/job/Plugins/job/github-branch-source-plugin/job/master/lastSuccessfulBuild/artifact/target/ by downloading the .hpi file and then using the "advanced" section of the Jenkins plugin page to upload that.  That should keep you going until the next version is officially released.
            Hide
            carroll Carroll Chiou added a comment -

            Issue was with the checkMethod="post" being in the wrong field of a config jelly file

             

            Show
            carroll Carroll Chiou added a comment - Issue was with the checkMethod="post" being in the wrong field of a config jelly file  
            Hide
            ba_magna Bosse Arndt added a comment -

            pjdarton Thank you very much for this information!

            I will keep doing this

            Show
            ba_magna Bosse Arndt added a comment - pjdarton Thank you very much for this information! I will keep doing this

              People

              • Assignee:
                carroll Carroll Chiou
                Reporter:
                towens Trey Owens
              • Votes:
                7 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: