Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated for CSP compatibility: eval call in datasource-{min,debug}.js #9090

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

updated for CSP compatibility: eval call in datasource-{min,debug}.js #9090

wants to merge 1 commit into from

Conversation

pyther-hub
Copy link

See JENKINS-71519.
The code was modified where eval was utilized because it's discouraged to utilize eval for interpreting a string as JavaScript code.

Testing done

Proposed changelog entries

  • JENKINS-XXXXX, human-readable text

Proposed upgrade guidelines

N/A

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. The Jira issue, if it exists, is well-described.
    Options
  2. The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
    Options
  3. There is automated testing or an explanation as to why this change has no tests.
    Options
  4. New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
    Options
  5. New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
    Options
  6. New or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
    Options
  7. For dependency updates, there are links to external changelogs and, if possible, full differentials.
    Options
  8. For new APIs and extension points, there is a link to at least one consumer.
    Options

Desired reviewers

@mention

Before the changes are marked as ready-for-merge:

Maintainer checklist

Edit tasklist title
Beta Give feedback Tasklist Maintainer checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. There are at least two (2) approvals for the pull request and no outstanding requests for change.
    Options
  2. Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
    Options
  3. Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
    Options
  4. Proper changelog labels are set so that the changelog can be generated automatically.
    Options
  5. If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
    Options
  6. If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).
    Options

@welcome Welcome
Copy link

welcome bot commented Mar 27, 2024

Yay, your first pull request towards Jenkins core was created successfully! Thank you so much!

A contributor will provide feedback soon. Meanwhile, you can join the chats and community forums to connect with other Jenkins users, developers, and maintainers.

@daniel-beck
Copy link
Member

@pyther-hub Thanks for your PR. Are you aware of current uses of this code and if so, could you provide links to them or instructions how to test them? eval is more permissive than JSON#parse, so this may break existing uses.

@pyther-hub
Copy link
Author

I attempted to locate some tests, but unfortunately, I was unable to find any as in the issue it was clearly mentioned of not using eval so made the changes according and even in the documentation I personally do not believe that there would be any issue with it, I would definitely try to find some test for this

@mawinter69
Copy link
Contributor

Is the code with the eval ever reached with modern browser?
I think we will always go into this if block else if(window.JSON && JSON.parse) { (lines 1064 resp. 1112)

@pyther-hub
Copy link
Author

@mawinter69 could you explain it a more

@mawinter69
Copy link
Contributor

See https://www.jenkins.io/doc/book/platform-information/support-policy-web-browsers/ for which browsers Jenkins supports.
Now according to https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON all browsers that Jenkins supports have a global JSON object and the parse method.
So for them if(window.JSON && JSON.parse) will evaluate to true and we will never reach the eval code.

@pyther-hub
Copy link
Author

Yes, I understand and agree with you. However, I believe it's important to address this for future considerations. If there are any changes, we should consider removing the 'eval'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@pyther-hub @daniel-beck @mawinter69