New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-50154] Fix webhook payload signature generation when Unicode symbols are present in it #242
[JENKINS-50154] Fix webhook payload signature generation when Unicode symbols are present in it #242
Conversation
Previous name wasn't very clear
Hmm, all those CheckStyle errors are TODO comments, should I fix that? |
I don't know why I was notified about this pull request. I don't know the Jenkins code base and I'm no expert in Java unicode handling (though Thanks for the fix and for making Jenkins better! |
Oh yes, I also meant to say, as an outsider, I don't see adding a dependency to apache-commons.text as a liability, especially if done for the sake of avoiding deprecated function calls. |
@limitedAtonement I'm sorry you've received unwanted notification, but thank you for the review! I'm completely agree about number of commits, I've just got used to the way it is configured in my team's repo - all commits in PR are squashed before merge. I also agree about new dependency - I think it is better on the long run. |
…load [GHWebhookSignatureTest] Add test to check signature generation for unicode payloads [GHWebhookSignatureTest] Fix test data We should've pass all those \uXXXX to function, but Java was keeping them as unicode characters inside [GHWebhookSignature] Use modules available via pom.xml to perform unescape [GHWebhookSignatureTest] Explain test data choice [GHWebhookSignatureTest] Remove escaped unicode from comments
b912826
to
a728333
Compare
@KostyaSha could you please take a look? |
Any ETA on this? Webhooks are completely unusable for us. |
@jonathonbattista as a workaround you can build a plugin from my fork https://github.com/ababushk/github-plugin/tree/JENKINS_50154_unicode_payload . You need Java and Maven installed on your system. After you clone the repo, execute |
Checkstyle errors will be fixed in #243 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
i think we can try it |
Jobs stopped triggering for us on merges/new PR after updating to v1.33.0. Can this be the reason? We had to downgrade to 1.32.0 |
It looks like I have the same problem:
I have commented the Jira issue. |
Same here. I also had to downgrade to 1.32.0 due to the signature mismatch errors. This PR looks completely broken to me.
|
@KostyaSha could we revert this while I'm searching for the fix? |
Previous version is still available here https://updates.jenkins-ci.org/download/plugins/github/1.32.0/github.hpi seems like it was already removed from the plugin registry though, you can install the link above manually if necessary. |
@ababushk could you PR revert? i can merge release then (automatic on GH web doesn't work) |
I've created a PR to revert this #246 |
Revert "Merge pull request #242 from ababushk/JENKINS_50154_unicode_p…
merged revert and released 1.33.1 |
v1.33.0 has a regression breaking GitHub webhooks. It was fixed in v1.33.1: jenkinsci/github-plugin#242 This is the only change in v1.33.1 so should be safe: jenkinsci/github-plugin@v1.33.0...v1.33.1
v1.33.0 has a regression breaking GitHub webhooks. It was fixed in v1.33.1: jenkinsci/github-plugin#242 This is the only change in v1.33.1 so should be safe: jenkinsci/github-plugin@v1.33.0...v1.33.1 See also: coreos/fedora-coreos-pipeline#352
This fixes a bug when plugin rejects webhook payload came from GitHub due to incorrect signature although secret token is configured correctly in Jenkins and GitHub repo/org settings.
It turned out that signature was generated incorrectly when Unicode characters were used in repo's description (in our case it was the ™ character).
I have a concern of using already deprecated method in new code, but the alternative is to add new dependency to pom.xml (apache-commons.text)