Update Winstone to 8.1026.v31def012a_f48, add test confirming the CSP response header can be >30KB (jenkinsci#25901)

Co-authored-by: Daniel Beck <[email protected]>

Author: daniel-beck

pom.xml

@@ -98,7 +98,7 @@ THE SOFTWARE.
     <spotless.check.skip>false</spotless.check.skip>
     <ban-junit4-imports.skip>false</ban-junit4-imports.skip>
     <!-- Make sure to keep the jetty-ee9-maven-plugin version in war/pom.xml in sync with the Jetty release in Winstone: -->
-    <winstone.version>8.1023.v8b_42b_1b_79b_f7</winstone.version>
+    <winstone.version>8.1026.v31def012a_f48</winstone.version>
     <node.version>24.11.1</node.version>
   </properties>
 

test/src/test/java/jenkins/security/csp/WinstoneResponseHeaderLengthTest.java

@@ -0,0 +1,44 @@
+package jenkins.security.csp;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasLength;
+import static org.hamcrest.Matchers.is;
+
+import org.htmlunit.FailingHttpStatusCodeException;
+import org.htmlunit.WebClient;
+import org.htmlunit.html.HtmlPage;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import org.jvnet.hudson.test.junit.jupiter.RealJenkinsExtension;
+
+public class WinstoneResponseHeaderLengthTest {
+
+    @RegisterExtension
+    public RealJenkinsExtension extension = new RealJenkinsExtension().addSyntheticPlugin(new RealJenkinsExtension.SyntheticPlugin(jenkins.security.csp.winstoneResponseHeaderLengthTest.ContributorImpl.class));
+
+    @Test
+    void testLength() throws Exception {
+        extension.startJenkins();
+        String lastHeader = "";
+        try (WebClient wc = new WebClient()) {
+            // Hopefully speed this up a bit:
+            wc.getOptions().setJavaScriptEnabled(false);
+            wc.getOptions().setCssEnabled(false);
+            wc.getOptions().setDownloadImages(false);
+            wc.getPage(extension.getUrl()); // request once outside try/catch to ensure it works in principle
+            try {
+                while (true) {
+                    final HtmlPage htmlPage = wc.getPage(extension.getUrl());
+                    lastHeader = htmlPage.getWebResponse().getResponseHeaderValue("Content-Security-Policy");
+                }
+            } catch (FailingHttpStatusCodeException e) {
+                assertThat(e.getStatusCode(), is(500));
+                assertThat(e.getResponse().getContentAsString(), containsString("Error 500 Response Header Fields Too Large"));
+
+                assertThat(lastHeader, hasLength(greaterThan(30_000)));
+            }
+        }
+    }
+}

test/src/test/java/jenkins/security/csp/winstoneResponseHeaderLengthTest/ContributorImpl.java

@@ -0,0 +1,28 @@
+package jenkins.security.csp.winstoneResponseHeaderLengthTest;
+
+import hudson.Extension;
+import jenkins.model.Jenkins;
+import jenkins.security.csp.Contributor;
+import jenkins.security.csp.CspBuilder;
+import jenkins.security.csp.Directive;
+
+public class ContributorImpl implements Contributor {
+    private int count = 0;
+
+    @Override
+    public void apply(CspBuilder cspBuilder) {
+        count++;
+        for (int i = 0; i < count; i++) {
+            cspBuilder.add(Directive.IMG_SRC, "img" + i + ".example.com");
+        }
+    }
+
+    @Extension
+    public static ContributorImpl getInstance() {
+        // Only load this extension if it's in the synthetic plugin, otherwise it will affect other tests
+        if (Jenkins.get().getPluginManager().whichPlugin(ContributorImpl.class) == null) {
+            return null;
+        }
+        return new ContributorImpl();
+    }
+}