Restore the ability to include clickable links in test output #481
Comments
|
cc @julieheard |
|
Just putting a note here to say I have seen this and am digging back into it. I will come back and update when I know a bit more or have an action plan 👍 |
|
+1 vote for this case, our team also lack this functionality. |
|
Totally agree with this request. Actually, we are refraining from updating because it is very cumbersome to enter the links manually into the browser instead of being able to click it. |
|
Hi, This is still on my radar. Sorry no update yet as have not had time to get to it. I will find the jira ticket and bookmark it. |
|
Thanks Julie,
we are definitely waiting for it 😉: Pls let me know if you need me as a tester etc.
Regards,
Ingo
…________________________________
From: Julie Heard ***@***.***>
Sent: Monday, May 15, 2023 4:52 PM
To: jenkinsci/junit-plugin ***@***.***>
Cc: Kuehn, Ingo ***@***.***>; Comment ***@***.***>
Subject: Re: [jenkinsci/junit-plugin] Restore the ability to include clickable links in test output (Issue #481)
🛑CAUTION: This email originated outside of the GF organization. Please consider the source / sender to ensure the content is safe before clicking on links or opening attachments. If you're unsure, please report this email as phishing so it can be analyzed.
Hi, This is still on my radar. Sorry no update yet as have not had time to get to it. I will find the jira ticket and bookmark it.
—
Reply to this email directly, view it on GitHub<#481 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7XVWJ4CS4F2X3LNX77L4V3XGI7MXANCNFSM6AAAAAAUBUTTWU>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Hi Julie,
did you have time to look at it? We are cut off to new Jenkins updates since this change was rolled out. At least, if you need any support for testing etc, we would be more than willing to help.
Regards,
Ingo
…________________________________
From: Julie Heard ***@***.***>
Sent: Monday, May 15, 2023 4:52 PM
To: jenkinsci/junit-plugin ***@***.***>
Cc: Kuehn, Ingo ***@***.***>; Comment ***@***.***>
Subject: Re: [jenkinsci/junit-plugin] Restore the ability to include clickable links in test output (Issue #481)
??CAUTION: This email originated outside of the GF organization. Please consider the source / sender to ensure the content is safe before clicking on links or opening attachments. If you're unsure, please report this email as phishing so it can be analyzed.
Hi, This is still on my radar. Sorry no update yet as have not had time to get to it. I will find the jira ticket and bookmark it.
—
Reply to this email directly, view it on GitHub<#481 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7XVWJ4CS4F2X3LNX77L4V3XGI7MXANCNFSM6AAAAAAUBUTTWU>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Isn't using "escapeHtml()" from the better way than doing it manually? |
|
Heiko,
I do not understand how that is related to the bug (but I did not check the source code of Junit). If you have a solution, pls let me know.
Regards,
Ingo
From: HeikoNardmann ***@***.***>
Sent: Donnerstag, 13. Juli 2023 21:33
To: jenkinsci/junit-plugin ***@***.***>
Cc: Kuehn, Ingo ***@***.***>; Comment ***@***.***>
Subject: Re: [jenkinsci/junit-plugin] Restore the ability to include clickable links in test output (Issue #481)
🛑CAUTION: This email originated outside of the GF organization. Please consider the source / sender to ensure the content is safe before clicking on links or opening attachments. If you're unsure, please report this email as phishing so it can be analyzed.
Isn't using "escapeHtml()" from
https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html
the better way than doing it manually?
—
Reply to this email directly, view it on GitHub<#481 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7XVWJ6WRKVJRAJADHDX3IDXQBEM7ANCNFSM6AAAAAAUBUTTWU>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
Sorry for the delay in getting to this, pull request here: #555 Please give any feedback and I can tweak the level of sanitizing the URLs 😃 |
|
I notice that Jenkins automatically makes links clickable when URLs show up in the "Console Output" of a job. Perhaps the JUnit plugin can hook into the same method that is being used to link-ify URLs in vanilla Jenkins job console output? TBH I don't really understand what the original security problem even was here. Was the primary concern that people would craft URLs which include malicious JavaScript or something? |
Exactly that yes. There was an attempt at fixing it in: #555
Maybe an attempt on the client side would be more successful |
What feature do you want to see added?
To address security-2888, the ability to display clickable links in JUnit test output was removed entirely. Our test suite leans heavily on this feature to help streamline the process of troubleshooting failed tests and other issues, so losing the ability to have clickable links in the output has significantly impaired the usability of our test results.
Is it possible to restore this functionality in a way that does not expose an potential XSS exploit? (I noticed that the security issue mentioned that the auto-hyperlinking was "done in an unsafe manner", which seems to imply that there is a safe way to accomplish this.)
Alternatively, perhaps allowing hyperlinks could become an opt-in setting for users that are willing to trust the limited set of actors that would actually have the access / opportunity to inject something malicious into unit test output?
Upstream changes
No response
The text was updated successfully, but these errors were encountered: