add a JellyVerifier for inline javascript and style tags #4049
Conversation
The JellyVerifier checks for several kinds of inline javascript and style usages which are not CSP compliant. Following checks are implement - inline style tags - script tags without `src` attribute that are not of type `application/json` - `onclick` attribute in namespaced element (this is an indicator that the deprecated onclick attribute is used that a few jelly taglibs in core support, e.g. f:radio), logged as warning - all attributes starting with `on` in tags without a namespace (Those are typically html elements), logged as warning - usage of `checkUrl` without `checkDependsOn` Potentially some check might produce false positives. Tested against issue 3310 which currently uses inline script and style. Added unit tests that verifies all checks.
|
I think once we have core and majority of plugins CSP compliant we should consider moving some or all of these checks to a maven plugin to ensure that nobody accidently reintroduces inline stuff |
This is where the existing ones are I believe: https://github.com/jenkinsci/jenkins-test-harness/blob/b09ba623b3479730c0c340b9077f7251cc97c927/src/main/java/org/jvnet/hudson/test/JellyTestSuiteBuilder.java |
There was a problem hiding this comment.
I wonder whether
needs-fix on errors.
see #4024 (comment)
currently it would add needs-fix if only an info was added.
Generally all the hosting issues that appear are errors so we haven't really came across this, I think the warnings are more to do with how the bot ran e.g. can't find a gradle file is something wrong with the project setup
| private static final Logger LOGGER = LoggerFactory.getLogger(JellyVerifier.class); | ||
| private static final String INLINE_STYLE = "The jelly file %s contains an inline `<style>` tag"; | ||
| private static final String INLINE_SCRIPT = "The jelly file %s contains a `<script>` tag with inline javascript."; | ||
| private static final String INLINE_SCRIPT_METHOD = "The jelly file %s potentially uses inline javascript attribute `%s`"; |
There was a problem hiding this comment.
Could these file paths be a link to GitHub?
Detects usage of inline event handlers like onclick, usage of script elements (except for json type), usage of checkUrl without checkDependsOn Same as jenkins-infra/repository-permissions-updater#4049 but for maven builds
The JellyVerifier checks for several kinds of inline javascript and style usages which are not CSP compliant.
Following checks are implement
srcattribute that are not of typeapplication/jsononclickattribute in namespaced element (this is an indicator that the deprecated onclick attribute is used that a few jellies in core support, e.g. f:radio), logged as warningonin tags without a namespace (Those are typically html elements), logged as warningcheckUrlwithoutcheckDependsOnPotentially some check might produce false positives.
Tested against issue 3310 which currently uses inline script and style.
Tested against 4024 it found usages of
onclickattributesAdded unit tests that verifies all checks.
fixes #3770