Remove getBySHA1 REST API obsoleted by SECURITY-595#644
Merged
MarkEWaite merged 1 commit intojenkinsci:masterfrom Dec 9, 2018
Merged
Remove getBySHA1 REST API obsoleted by SECURITY-595#644MarkEWaite merged 1 commit intojenkinsci:masterfrom
MarkEWaite merged 1 commit intojenkinsci:masterfrom
Conversation
The SECURITY-595 security fix for Jenkins core prevents access to the URL /job/<Job Name here>/scm/. That prevents access to …/scm/bySHA1/…. That change breaks this undocumented feature with no test coverage. Since Git plugin 4.0 is a major release, let's use the major release to remove this unusable API. If we find a critical need to provide this REST API, it can be moved to the Descriptor. Descriptors are already involved in URL handling and will work out of the box.
MarkEWaite
force-pushed
the
remove-getBySHA1-REST-API
branch
from
b83dbdb to
eab515e
Compare
daniel-beck
approved these changes
Dec 9, 2018
Member
There was a problem hiding this comment.
Works for me.
If there's actual demand for this, we can always restore it as /job/whatever/descriptor/hudson.plugins.git.GitSCM/bySHA1/<SHA-1> (via GitSCM's Descriptor) or job/whatever/byGitSHA1/<SHA-1> (via TransientActionFactory). Both are pretty straightforward.
Member
|
Updated https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-595+fix with a notice that the feature is being removed from the plugin. |
Contributor
Author
|
Thanks @daniel-beck ! |
MarkEWaite
added
bugfix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SECURITY-595 - Remove obsolete REST API
The SECURITY-595 security fix for Jenkins core prevents access to the URL /job//scm/. That prevents access to …/scm/bySHA1/…. That change breaks this undocumented feature.
Since Git plugin 4.0 is a major release, let's use the major release to remove this unusable API.
Checklist
Types of changes
Further comments
If we find a critical need to provide this REST API, it can be reinstated on the Descriptor. Descriptors are already involved in URL handling and will work out of the box.