Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.4.12, 7.5.1
-
6.04
-
6
-
Severity 2 - Major
-
1
-
Description
Summary
From troubleshooting PS-11297 we found that a 3rd party addon able to create an empty name custom field through the CachingCustomFieldManager (which is public API). JIRA does not appear to handle empty custom field names under normal use and throw NPE below.
atlassian-jira.log-java.lang.NullPointerException atlassian-jira.log- at java.lang.String$CaseInsensitiveComparator.compare(String.java:1192) atlassian-jira.log- at java.lang.String$CaseInsensitiveComparator.compare(String.java:1186) atlassian-jira.log- at java.util.TreeMap.getEntryUsingComparator(TreeMap.java:376) atlassian-jira.log- at java.util.TreeMap.getEntry(TreeMap.java:345) atlassian-jira.log- at java.util.TreeMap.containsKey(TreeMap.java:232) atlassian-jira.log- at java.util.TreeSet.contains(TreeSet.java:234) atlassian-jira.log- at java.util.Collections$UnmodifiableCollection.contains(Collections.java:1032) atlassian-jira.log- at com.atlassian.jira.issue.search.constants.SystemSearchConstants.isSystemName(SystemSearchConstants.java:404) atlassian-jira.log- at com.atlassian.jira.issue.search.ClauseNames.forCustomField(ClauseNames.java:74) atlassian-jira.log- at com.atlassian.jira.issue.fields.CustomFieldImpl.getClauseNames(CustomFieldImpl.java:392) atlassian-jira.log- at com.atlassian.jira.issue.customfields.searchers.UserPickerGroupSearcher.init(UserPickerGroupSearcher.java:122) atlassian-jira.log- at com.atlassian.jira.issue.customfields.searchers.UserPickerGroupSearcher.init(UserPickerGroupSearcher.java:51)
This cause gadget, issue navigator, issue pages, ServiceDesk page return a 500 error page.
2017-03-08 00:44:31,295 ListenableFutureAdapter-thread-35 WARN c_pcharb 44x4681x5 1czcfc7 216.82.251.234,172.18.11.188,172.18.12.171 /rest/dev-status/1.0/issue/summary [atlassian.jira.index.AccumulatingResultBuilder] com.atlassian.cache.CacheException: com.atlassian.cache.CacheException: java.lang.NullPointerException
Environment
- JIRA 6.4.10 + JEP 4.10.0
Steps to Reproduce
The following is to demonstrate that a 3rd party add-on is able to create an empty name field.
- sign in as non-administrator user
- and add "JEP - Total Resolutions per User Bar Chart" gadget
You will see the gadget returns 500 error in the dashboard
In the Administration >> Audit log, we see the non-admin user created a custom field the user created
In the database, it creates a null name custom field
jira6410000=# select customfieldtypekey, description, cfname from customfield where cfname is null;
customfieldtypekey | description | cfname
---------------------------------+----------------------------------------------------------------------------+--------
plugin.jep:last-resolution-user | This is a lookup field that displays the last user that resolved the issue |
(1 row)
Expected Result
JIRA should not allow an exposed API that allow 3rd party add on to create an empty name custom field
Actual Result
3rd party add on able to create empty name custom field that result in hours of outages.