Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-16119

Clicking on a commit author's name when it's not connected to a user is causing an error page

    XMLWordPrintable

Details

    Description

      In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this:

      We can see if follows this patterns:
      Display name <user@domain.com>

      When clicking this user, we get this 'Internal Server Error Page':

      The following stacktrace is shown:

      java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>
	at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157)
	at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145)
	at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53)
	at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70)

      Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows:

      https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com>

      We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo.

      Steps to Reproduce

      1. Have a plan connected to a repository in Bamboo
      2. Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build
      3. This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it

      Expected Behavior

      • Either some information about the user is shown or a message saying it doesn't exist in Bamboo

      Actual Behavior

      • An Internal Server Error Page is shown

      Attachments

        1. error_page.png
          error_page.png
          104 kB
        2. branch_author.png
          branch_author.png
          67 kB

        Issue Links

          mentioned in

          Page Loading...

          Page Loading...

          was cloned as

          BDEV-9632 Loading...

          Activity

            People

              moles Marcin Oles
              jsilveira Jaime S
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: