Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove BeanBuilder.loadBeans(String) #4838

Merged
merged 1 commit into from
Jul 10, 2020
Merged

Remove BeanBuilder.loadBeans(String) #4838

merged 1 commit into from
Jul 10, 2020

Conversation

jeffret-b
Copy link
Contributor

Remove the unused method BeanBuilder.loadBeans(String). I've checked that the message is unused via grep and usage-in-plugins. Nothing in core references it either.

Rather than just deprecating it, this method needs to be removed so that no one uses it. The implementation connects with CVE-2014-3578. The method itself has the same flaws, without any protections or examples of how it might be safely used.

No tests are needed for removing this unused method.

Proposed changelog entries

  • Developer: Remove method BeanBuilder.loadBeans(String).

Proposed upgrade guidelines

N/A

Submitter checklist

  • [n/a] (If applicable) Jira issue is well described
  • Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change). Examples
    • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
  • Appropriate autotests or explanation to why this change has no tests
  • [n/a] For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

  • There are at least 2 approvals for the pull request and no outstanding requests for change
  • Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
  • Changelog entries in the PR title and/or Proposed changelog entries are correct
  • Proper changelog labels are set so that the changelog can be generated automatically
  • [n/a] If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
  • [n/a] If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

@jeffret-b
Remove BeanBuilder.loadBeans(String).
cc1d4af 
This method is unused in the Jenkins ecosystem.
It is potentially problematic and dangerous.
@jeffret-b jeffret-b added the developer Changes which impact plugin developers label Jul 8, 2020
jvz
jvz approved these changes Jul 8, 2020
View reviewed changes
Copy link
Member

@jvz jvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found no usages of this method (usage-in-plugins search).

daniel-beck
daniel-beck approved these changes Jul 8, 2020
View reviewed changes
Copy link
Member

@daniel-beck daniel-beck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 🔥 🔥 BURNINATE 🔥 🔥 🔥

@jeffret-b
Copy link
Contributor Author

There are enough approvals. Might as well start the countdown. I'll mark as ready-for-merge and then it can be merged after the usual time period unless there are any concerns raised.

@jeffret-b jeffret-b added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Jul 8, 2020
@daniel-beck daniel-beck added the plugin-api-changes Changes the API of Jenkins available for use in plugins. label Jul 8, 2020
@jeffret-b
Copy link
Contributor Author

This is ready to go now.

@timja timja merged commit 4e5d743 into jenkinsci:master Jul 10, 2020
@daniel-beck daniel-beck added the removed This PR removes a feature or a public API label Jul 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarkEWaite MarkEWaite MarkEWaite approved these changes

@jvz jvz jvz approved these changes

@daniel-beck daniel-beck daniel-beck approved these changes

@timja timja timja approved these changes

@Wadeck Wadeck Awaiting requested review from Wadeck

Assignees
No one assigned
Labels
developer Changes which impact plugin developers plugin-api-changes Changes the API of Jenkins available for use in plugins. ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback removed This PR removes a feature or a public API
Projects
None yet
Milestone
No milestone
5 participants
@jeffret-b @MarkEWaite @jvz @daniel-beck @timja