Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-74883] Remove unsafe eval call from third-party library #2589

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[JENKINS-74883] Remove unsafe eval call from third-party library #2589

wants to merge 4 commits into from

Conversation

basil
Copy link
Member

@basil basil commented Nov 19, 2024
edited
Loading

Context

See JENKINS-74883.

Problem

EvalError: call to Function() blocked by CSP
    optimizeLookup https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:48503
    [223]</< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:48507
    [223]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:49728
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [222]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:48330
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [238]</< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:53245
    [238]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:53710
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [230]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:51456
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [233]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:51983
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [248]</< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:54046
    [248]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:54193
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [243]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:53979
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [379]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:71583
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [375]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:70717
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [377]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:71215
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    [376]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:71127
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    execute https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:68818
    ___exec https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:67756
    make https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:2834
    ___$$$___exec https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:67753
    ___$$$___doBundleInit https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:67830
    [348]</< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:67842
    doFulfill https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:2860
    onFulfilled https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:2872
    [348]< https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:67841
    o https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    r https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
    <anonymous> https://127.0.0.1/adjuncts/f72d66ff/io/jenkins/blueocean/blueocean-core-js.js:1
blueocean-core-js.js:67758:17

Solution

Pull in skeggse/isemail#12, first released in https://github.com/skeggse/isemail/releases/tag/v2.1.2.

Implementation

Override the transitive dependency. The overrides feature could be used for this, but it was introduced in NPM version 8, while we are still on NPM 6.14.4. NPM 6.14.4 doesn't natively support overrides, but we can use the npm-force-resolutions package to enforce specific versions for dependencies as recommended here. This PR sets up that package as described in its README, then uses it to override the version of isemail to 2.1.2.

Testing done

Tested together with #2587, #2588, and

diff --git a/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly b/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
index dc61f3c0d..fa7e41d48 100644
--- a/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
+++ b/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
@@ -1,6 +1,7 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:x="jelly:xml">
     <st:contentType value="text/html;charset=UTF-8"/>
+    <st:header name="Content-Security-Policy" value="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: ; script-src 'self' 'report-sample' usage.jenkins.io" />
 
     <!-- Add HTTP headers from extensions. See BluePageDecorator.java -->
     <j:forEach var="pd" items="${it.pageDecorators}">

Note that the above does not contain unsafe-eval, exposing JENKINS-74883.

Confirmed that after the header was added but before this PR, Blue Ocean blew up with the CSP violation described in the Problem section.

Confirmed that after the header was added and after this PR, Blue Ocean loaded successfully and I could browse both Pipeline jobs and Pipeline runs without any errors in the console log. Confirmed that the CSP header was being sent without unsafe-eval.

Submitter checklist

  • Link to JIRA ticket in description, if appropriate.
  • Change is code complete and matches issue description
  • Appropriate unit or acceptance tests or explanation to why this change has no tests
  • Reviewer's manual test instructions provided in PR description. See Reviewer's first task below.

Reviewer checklist

  • Run the changes and verified the change matches the issue description
  • Reviewed the code
  • Verified that the appropriate tests have been written or valid explanation given

@basil basil added the internal label Nov 19, 2024
@basil basil marked this pull request as ready for review November 20, 2024 02:27
@basil basil requested a review from a team as a code owner November 20, 2024 02:27
@basil basil requested a review from olamy November 20, 2024 11:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaroslavafenkin yaroslavafenkin yaroslavafenkin approved these changes

@olamy olamy Awaiting requested review from olamy

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@basil @yaroslavafenkin @olamy