New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-70931] Remove Prototype Ajax.Request
usages from hudson-behavior.js
#7951
Conversation
df81a05
to
8eae594
Compare
Ajax.Request
usages from hudson-behavior.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine with me pending the one issue I opened.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine but there are still a lot of checkMethod="post"
usages in plugins (including proprietary plugins) so maybe we should add a developer changelog entry and/or log a warning instructing the plugin developer to remove the dead code.
…or.js Co-authored-by: Basil Crow <me@basilcrow.com>
ed2df1c
to
3c890bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me security wise
@@ -94,89 +77,4 @@ public void onlyAdminCanReachTheDoCheck() throws Exception { | |||
userWc.login(USER); | |||
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, userWc.getPage(request).getWebResponse().getStatusCode()); | |||
} | |||
|
|||
@Test | |||
@Issue("SECURITY-794") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this removed? Not relevant anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was a very hacky test relying on internals of htmlunit which changed when switching to fetch I wasn’t able to replicate it and it didn’t seem like a critical test
/label ready-for-merge This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback. Thanks! |
Yeah that could be pretty useful. Also, have you looked for plugins expecting to have |
I have checked, it’s in a comment here and like you I found no results |
Fixed |
@@ -228,50 +228,73 @@ var FormChecker = { | |||
* @param url | |||
* Remote doXYZ URL that performs the check. Query string should include the field value. | |||
* @param method | |||
* HTTP method. GET or POST. I haven't confirmed specifics, but some browsers seem to cache GET requests. | |||
* Unused, kept to maintain compatibility with the old signature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
matrix-auth
and azure-ad
call this with "GET". This changes the existing behavior. Not sure there is a valid justification for that.
If there is a valid justification for changing the existing behavior, then this calling convention is pretty ugly. Better to define a new two-argument method and deprecate the three-argument one, logging a warning if anyone is still calling the three-argument version and filing PRs to update consumers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JavaScript doesn't have function overloading.
https://stackoverflow.com/questions/456177/function-overloading-in-javascript-best-practices
We're stuck with that function with that name.
We could create a new function with a new name and use an object for parameters to make it more flexible in future
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still not sure there is a valid justification for changing the existing behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
core 2.285 changed the default to post, these 2 would have been missed by accident as they will be the only consumers calling it directly.
anyway I've added some compat so they will be able to set GET for now and will file separate PRs to switch them to post if that's okay?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR contains two unrelated changes and is too difficult for me to review. Requesting any changes related to the deprecation of checkMethod
to be split into a separate PR.
Still failing ATH as far as I can tell. |
Code looks good. Once this gets a passing ATH run (or at least one that is no worse than trunk builds) I will be ready to approve this. |
ATH passed so this is good to go from my perspective. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your hard work cleaning up this patch and getting ATH to pass!
This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process. Thanks!
var idx = url.indexOf("?"); | ||
params.parameters = url.substring(idx + 1); | ||
url = url.substring(0, idx); | ||
} | ||
new Ajax.Request(url, params); | ||
|
||
const parsedUrl = method === "get" ? `${url}?${params.parameters}` : url; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change when the request method is GET
, as params.parameters
is undefined.
matrix-auth
:
(The ]
is from the internal format of form validation requested in the plugin. The original url
looks like /jenkins/manage/descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName?value=%5BUSER%3AtheUsername%5D
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👉 #7986
@@ -242,36 +242,65 @@ var FormChecker = { | |||
}, | |||
|
|||
sendRequest: function (url, params) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realize I'm late to the party, but are we cool with breaking this function? It's used in plugins and the response
parameter in onComplete
having no responseText
is a bit of a surprise to all the scripts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you clarify what's being broken? What scripts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JENKINS-71741 FTR
See JENKINS-70931.
Testing done
FormChecker has been tested with the timezone field on the user configuration page.
On page load a doCheck with no attributes is done and works, and then when selecting other timezones it also works
Help fetching has been tested by putting a breakpoint on the code and then clicking help buttons, breakpoint was hit and help areas were loaded.
Lazy map was tested by going to the build time trend and seeing the breakpoint hit on page load and the page looked correct.
Stop button by adding a breakpoint on the code, starting a freestyle build, ensuring the breakpoint was hit and that it behaved as expected.
descriptionForm by editing a freestyle project description, putting a breakpoint ensuring the code was executed behaving as expected
refreshPart was tested by adding a breakpoint and making sure it was hit when executors updated.
validateButton was tested by clicking test connection on the slack plugins global configuration, ensuring breakpoint was hit and it behaved as expected
Proposed changelog entries
Proposed upgrade guidelines
N/A
Submitter checklist
@Restricted
or have@since TODO
Javadocs, as appropriate.@Deprecated(since = "TODO")
or@Deprecated(forRemoval = true, since = "TODO")
, if applicable.eval
to ease future introduction of Content Security Policy (CSP) directives (see documentation).Desired reviewers
@mention
Maintainer checklist
Before the changes are marked as
ready-for-merge
:upgrade-guide-needed
label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).lts-candidate
to be considered (see query).