Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restore the ability to include clickable links in test output #481

Open
BonusLord opened this issue Jan 20, 2023 · 13 comments · May be fixed by #669
Open

Restore the ability to include clickable links in test output #481

BonusLord opened this issue Jan 20, 2023 · 13 comments · May be fixed by #669

Comments

@BonusLord
Copy link

What feature do you want to see added?

To address security-2888, the ability to display clickable links in JUnit test output was removed entirely. Our test suite leans heavily on this feature to help streamline the process of troubleshooting failed tests and other issues, so losing the ability to have clickable links in the output has significantly impaired the usability of our test results.

Is it possible to restore this functionality in a way that does not expose an potential XSS exploit? (I noticed that the security issue mentioned that the auto-hyperlinking was "done in an unsafe manner", which seems to imply that there is a safe way to accomplish this.)

Alternatively, perhaps allowing hyperlinks could become an opt-in setting for users that are willing to trust the limited set of actors that would actually have the access / opportunity to inject something malicious into unit test output?

Upstream changes

No response

@timja
Copy link
Member

timja commented Jan 20, 2023

cc @julieheard

@julieheard
Copy link
Contributor

Just putting a note here to say I have seen this and am digging back into it. I will come back and update when I know a bit more or have an action plan 👍

@academic-sakharov
Copy link

+1 vote for this case, our team also lack this functionality.

@Ingo987
Copy link

Ingo987 commented May 10, 2023

Totally agree with this request. Actually, we are refraining from updating because it is very cumbersome to enter the links manually into the browser instead of being able to click it.
Already filed a JIRA ticket months ago.

@timja
Copy link
Member

timja commented May 10, 2023

@julieheard ?

@julieheard
Copy link
Contributor

Hi, This is still on my radar. Sorry no update yet as have not had time to get to it. I will find the jira ticket and bookmark it.

@Ingo987
Copy link

Ingo987 commented May 16, 2023 via email

@Ingo987
Copy link

Ingo987 commented Jul 3, 2023 via email

@HeikoNardmann
Copy link

Isn't using "escapeHtml()" from

https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html

the better way than doing it manually?

@Ingo987
Copy link

Ingo987 commented Jul 14, 2023 via email

@julieheard
Copy link
Contributor

julieheard commented Aug 4, 2023

Sorry for the delay in getting to this, pull request here: #555 Please give any feedback and I can tweak the level of sanitizing the URLs 😃

@BonusLord
Copy link
Author

I notice that Jenkins automatically makes links clickable when URLs show up in the "Console Output" of a job. Perhaps the JUnit plugin can hook into the same method that is being used to link-ify URLs in vanilla Jenkins job console output?

TBH I don't really understand what the original security problem even was here. Was the primary concern that people would craft URLs which include malicious JavaScript or something?

@timja
Copy link
Member

timja commented Nov 19, 2024

TBH I don't really understand what the original security problem even was here. Was the primary concern that people would craft URLs which include malicious JavaScript or something?

Exactly that yes.

There was an attempt at fixing it in: #555
but it wasn't successful.

Perhaps the JUnit plugin can hook into the same method that is being used to link-ify URLs in vanilla Jenkins job console output?

Maybe an attempt on the client side would be more successful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants