Details
-
Bug
-
Resolution: Done
-
Low
-
5.10-OD-01
-
Severity 3 - Minor
-
Description
In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this:
We can see if follows this patterns:
Display name <user@domain.com>
When clicking this user, we get this 'Internal Server Error Page':
The following stacktrace is shown:
java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com> at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157) at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145) at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53) at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70)
Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows:
https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com>
We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo.
Steps to Reproduce
- Have a plan connected to a repository in Bamboo
- Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build
- This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it
Expected Behavior
- Either some information about the user is shown or a message saying it doesn't exist in Bamboo
Actual Behavior
- An Internal Server Error Page is shown