Skip to content

Add CSP-compliant variant of undocumented validateButton script feature #20345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MarkEWaite merged 3 commits into from
Nov 28, 2025
Merged

Add CSP-compliant variant of undocumented validateButton script feature #20345

MarkEWaite merged 3 commits into from
Nov 28, 2025

Conversation

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented Nov 24, 2025
edited by timja
Loading

Fixes #18688

With CSP protection enabled (https://plugins.jenkins.io/csp/ or #11269), so that script-src does not allow 'unsafe-inline', it is not possible to regenerate a legacy API token. In new instances, this token has been disabled by default for many years.

Screenshot 2025-11-24 at 18 19 42

The reason is a seemingly undocumented feature of f:validateButton: If you provide an inline script in the script HTTP response header to the validation method, that script is executed:

jenkins/war/src/main/webapp/scripts/hudson-behavior.js

Lines 2639 to 2644 in 110014c

var s = rsp.headers.get("script");
try {
geval(s);
} catch (e) {
window.alert("failed to evaluate " + s + "\n" + e.message);
}

There seem to be just two plugins (gitlab-plugin and gitee) and this core functionality using this feature.

This PR adds a new, equally undocumented feature: Set the X-Jenkins-ValidateButton-Callback HTTP response header to a JSON object with the String callback and the list arguments to have a global function of that name be invoked with those arguments.

Testing done

Manually generated a token while CSP plugin was installed and "Report Only" was unchecked, it worked as if there was no CSP enforcement.

Proposed changelog entries

  • Bugfix: Make "Change API Token" for legacy API tokens work when Content Security Policy is enforced and prohibits inline JavaScript.
  • Developer: Add X-Jenkins-ValidateButton-Callback (a JSON object with callback and arguments keys) as a replacement for the CSP-incompatible script HTTP response header for f:validateButton.

Proposed changelog category

/label

Proposed upgrade guidelines

N/A

Submitter checklist

  • The Jira issue, if it exists, is well-described.
  • The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
  • There is automated testing or an explanation as to why this change has no tests.
  • New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
  • New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
  • UI changes do not introduce regressions when enforcing the current default rules of Content Security Policy Plugin. In particular, new or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
  • For dependency updates, there are links to external changelogs and, if possible, full differentials.
  • For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

@mention

Before the changes are marked as ready-for-merge:

Maintainer checklist

  • There are at least two (2) approvals for the pull request and no outstanding requests for change.
  • Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
  • Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
  • Proper changelog labels are set so that the changelog can be generated automatically.
  • If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
  • If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

@daniel-beck daniel-beck added bug For changelog: Minor bug. Will be listed after features developer Changes which impact plugin developers labels Nov 24, 2025
@daniel-beck daniel-beck added the squash-merge-me Unclean or useless commit history, should be merged only with squash-merge label Nov 24, 2025
timja
timja approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@timja timja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be better for this to be removed, but if it works good for now

This was referenced Nov 24, 2025
Closed
Merged
Merged
@daniel-beck daniel-beck mentioned this pull request Nov 25, 2025
Merged
1 task
@timja
Copy link
Member

timja commented Nov 25, 2025

/label ready-for-merge

This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback.

Thanks!

@comment-ops-bot comment-ops-bot bot added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Nov 25, 2025
@timja
Copy link
Member

timja commented Nov 25, 2025

(linked #18688 to close on merge)

@MarkEWaite MarkEWaite merged commit d902c89 into jenkinsci:master Nov 28, 2025
19 checks passed
@daniel-beck daniel-beck deleted the validateButton-callback-legacy-api-token branch December 2, 2025 09:54
@daniel-beck
Copy link
Member Author

daniel-beck commented Dec 2, 2025
edited
Loading

would be better for this to be removed, but if it works good for now

FWIW I've changed both plugins' PRs to not use either iteration of this feature. This way no new Jenkins core dependency is required for them either. So the only remaining known use of this feature would be in core.

@daniel-beck daniel-beck mentioned this pull request Dec 3, 2025
Merged
karthikbhandary2 pushed a commit to karthikbhandary2/jenkins that referenced this pull request Dec 4, 2025
@daniel-beck @karthikbhandary2
Add CSP-compliant variant of undocumented validateButton script featu…
7a23aeb 
…re (jenkinsci#20345)

* Add CSP-compliant variant of undocumented validateButton script feature

* Prettier / eslint

* Use Function.prototype.apply() as hopefulle HTMLUnit compatible alternative

---------

Co-authored-by: Daniel Beck <[email protected]>
@jenkins-infra-bot jenkins-infra-bot mentioned this pull request Dec 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NotMyFault NotMyFault NotMyFault approved these changes

@timja timja timja approved these changes

Assignees

No one assigned

Labels

bug For changelog: Minor bug. Will be listed after features developer Changes which impact plugin developers ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback squash-merge-me Unclean or useless commit history, should be merged only with squash-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[JENKINS-71520] [core] CSP compatibility: geval calls in hudson-behaviour.js

4 participants

@daniel-beck @timja @NotMyFault @MarkEWaite