Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-64957

CachingCustomFieldManager allows creation of custom field with empty name

    XMLWordPrintable

Details

    Description

      Summary

      From troubleshooting PS-11297 we found that a 3rd party addon able to create an empty name custom field through the CachingCustomFieldManager (which is public API). JIRA does not appear to handle empty custom field names under normal use and throw NPE below. 

      atlassian-jira.log-java.lang.NullPointerException
atlassian-jira.log-     at java.lang.String$CaseInsensitiveComparator.compare(String.java:1192)
atlassian-jira.log-     at java.lang.String$CaseInsensitiveComparator.compare(String.java:1186)
atlassian-jira.log-     at java.util.TreeMap.getEntryUsingComparator(TreeMap.java:376)
atlassian-jira.log-     at java.util.TreeMap.getEntry(TreeMap.java:345)
atlassian-jira.log-     at java.util.TreeMap.containsKey(TreeMap.java:232)
atlassian-jira.log-     at java.util.TreeSet.contains(TreeSet.java:234)
atlassian-jira.log-     at java.util.Collections$UnmodifiableCollection.contains(Collections.java:1032)
atlassian-jira.log-     at com.atlassian.jira.issue.search.constants.SystemSearchConstants.isSystemName(SystemSearchConstants.java:404)
atlassian-jira.log-     at com.atlassian.jira.issue.search.ClauseNames.forCustomField(ClauseNames.java:74)
atlassian-jira.log-     at com.atlassian.jira.issue.fields.CustomFieldImpl.getClauseNames(CustomFieldImpl.java:392)
atlassian-jira.log-     at com.atlassian.jira.issue.customfields.searchers.UserPickerGroupSearcher.init(UserPickerGroupSearcher.java:122)
atlassian-jira.log-     at com.atlassian.jira.issue.customfields.searchers.UserPickerGroupSearcher.init(UserPickerGroupSearcher.java:51)

      This cause gadget, issue navigator, issue pages, ServiceDesk page return a 500 error page.

      2017-03-08 00:44:31,295 ListenableFutureAdapter-thread-35 WARN c_pcharb 44x4681x5 1czcfc7 216.82.251.234,172.18.11.188,172.18.12.171 /rest/dev-status/1.0/issue/summary [atlassian.jira.index.AccumulatingResultBuilder] com.atlassian.cache.CacheException: com.atlassian.cache.CacheException: java.lang.NullPointerException

      Environment

      • JIRA 6.4.10 + JEP 4.10.0

      Steps to Reproduce

      The following is to demonstrate that a 3rd party add-on is able to create an empty name field.

      1. sign in as non-administrator user
      2. and add "JEP - Total Resolutions per User Bar Chart" gadget

      You will see the gadget returns 500 error in the dashboard

      In the Administration >> Audit log, we see the non-admin user created a custom field the user created

      In the database, it creates a null name custom field 

      jira6410000=# select customfieldtypekey, description, cfname from customfield where cfname is null;
       customfieldtypekey        |                                description                                 | cfname
---------------------------------+----------------------------------------------------------------------------+--------
 plugin.jep:last-resolution-user | This is a lookup field that displays the last user that resolved the issue |
(1 row)

      Expected Result

      JIRA should not allow an exposed API that allow 3rd party add on to create an empty name custom field

      Actual Result

      3rd party add on able to create empty name custom field that result in hours of outages.

      Attachments

        1. 500.png
          53 kB
          vkharisma
        2. jep-audit.png
          51 kB
          vkharisma

        Activity

          People

            Unassigned Unassigned
            vkharisma vkharisma (Inactive)
            Votes:
            12 Vote for this issue
            Watchers:
            16 Start watching this issue

            Dates

              Created:
              Updated: