Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61428

Control chars in Git commit messages cause invalid JSON from REST API

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: core
    • Environment:
      Jenkins version: 2.199
      Git plugin version: 3.12.1
      OS version: CentOS 7 (3.10.0-1062.1.2.el7.x86_64)
      Java version: 1.8.0_121
      no Tomcat, no reverse proxy
    • Similar Issues:

      Description

      Jenkins generates invalid JSON on http://.../api/json url due to Git commit messages are included in changeset comment attribute as is (the control chars like \x00-\x1F are not filtered).

      The excerpt of JSON structure is attached.

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          Thanks for the report. I agree that is a bug. The JSON specification for strings states that:

          All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).

          The example you provided shows a "control-A" character that should be escaped but is not escaped. I believe that character should have been represented as \u0001 instead.

          Show
          markewaite Mark Waite added a comment - Thanks for the report. I agree that is a bug. The JSON specification for strings states that: All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). The example you provided shows a "control-A" character that should be escaped but is not escaped. I believe that character should have been represented as \u0001 instead.
          Hide
          markewaite Mark Waite added a comment -

          I believe this is an issue in Jenkins core rather than a specific issue in the git plugin.

          Show
          markewaite Mark Waite added a comment - I believe this is an issue in Jenkins core rather than a specific issue in the git plugin.
          Hide
          covid19 Evgeny Boloboshkin added a comment -

          Mark Waite assign the ticket please.

          Show
          covid19 Evgeny Boloboshkin added a comment - Mark Waite assign the ticket please.
          Hide
          oleg_nenashev Oleg Nenashev added a comment - - edited

          I confirm this is an issue in the Jenkins core, likely even in the Stapler framework:

          Evgeny Boloboshkin Jenkins is a contributor-driven project, everybody is welcome to submit pull requests or to facilitate issue resolution in any other ways (visibility, reviews, etc.). There is no default assignee in the Jenkins core by default, and there is no ETA for the fix. If you are interested to submit a fix, please see the guidelines here: https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - - edited I confirm this is an issue in the Jenkins core, likely even in the Stapler framework:  There is no special filtering in the constructor or getter of  https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/scm/ChangeLogSet.java  . Since the class does not control export formats on its own, I believe this is a right behavior (though a risky one) JSON serialization is a maze, but I believe that the data escaping is done here:  https://github.com/stapler/stapler/blob/master/core/src/main/java/org/kohsuke/stapler/export/JSONDataWriter.java#L103-L138 The escaping code does not seem to be sufficient for the reported issue Evgeny Boloboshkin Jenkins is a contributor-driven project, everybody is welcome to submit pull requests or to facilitate issue resolution in any other ways (visibility, reviews, etc.). There is no default assignee in the Jenkins core by default, and there is no ETA for the fix. If you are interested to submit a fix, please see the guidelines here:  https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md  

            People

            • Assignee:
              Unassigned
              Reporter:
              covid19 Evgeny Boloboshkin
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: