Merge branch 'master' into build-page-console-height

Author: MarkEWaite

.github/workflows/run-since-updater.yml

@@ -29,7 +29,7 @@ jobs:
         id: run_script
         shell: bash
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Fill in since annotations

bom/pom.xml

@@ -56,7 +56,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-bom</artifactId>
-        <version>2.0.16</version>
+        <version>2.0.17</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

cli/src/main/java/hudson/cli/CLI.java

@@ -318,7 +318,7 @@ public static int _main(String[] _args) throws Exception {
         throw new AssertionError();
     }
 
-    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static String readAuthFromFile(String auth) throws IOException {
         Path path;
         try {
@@ -329,7 +329,7 @@ private static String readAuthFromFile(String auth) throws IOException {
         return Files.readString(path, Charset.defaultCharset());
     }
 
-    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static File getFileFromArguments(List<String> args) {
         return new File(args.get(1));
     }

core/src/main/java/hudson/DescriptorExtensionList.java

@@ -26,6 +26,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
 import hudson.model.Descriptor.FormException;
@@ -274,6 +275,7 @@ protected Descriptor adapt(ExtensionComponent<Descriptor> item) {
     /**
      * Exposed just for the test harness. Clear legacy instances.
      */
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static void clearLegacyInstances() {
         legacyDescriptors.clear();
     }

core/src/main/java/hudson/ExtensionList.java

@@ -36,10 +36,12 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.IdentityHashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.Vector;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CopyOnWriteArrayList;
@@ -48,6 +50,8 @@
 import jenkins.ExtensionComponentSet;
 import jenkins.model.Jenkins;
 import jenkins.util.io.OnMaster;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Retains the known extension instances for the given type 'T'.
@@ -335,27 +339,44 @@ protected Object getLoadLock() {
     /**
      * Used during {@link Jenkins#refreshExtensions()} to add new components into existing {@link ExtensionList}s.
      * Do not call from anywhere else.
+     * @return true if {@link #fireOnChangeListeners} should be called on {@code this} after all lists have been refreshed.
      */
-    public void refresh(ExtensionComponentSet delta) {
-        boolean fireOnChangeListeners = false;
+    @Restricted(NoExternalUse.class)
+    public boolean refresh(ExtensionComponentSet delta) {
         synchronized (getLoadLock()) {
             if (extensions == null)
-                return;     // not yet loaded. when we load it, we'll load everything visible by then, so no work needed
-
-            Collection<ExtensionComponent<T>> found = load(delta);
-            if (!found.isEmpty()) {
-                List<ExtensionComponent<T>> l = new ArrayList<>(extensions);
-                l.addAll(found);
-                extensions = sort(l);
-                fireOnChangeListeners = true;
+                return false;     // not yet loaded. when we load it, we'll load everything visible by then, so no work needed
+
+            Collection<ExtensionComponent<T>> newComponents = load(delta);
+            if (!newComponents.isEmpty()) {
+                // We check to ensure that we do not insert duplicate instances of already-loaded extensions into the list.
+                // This can happen when dynamically loading a plugin with an extension A that itself loads another
+                // extension B from the same plugin in some contexts, such as in A's constructor or via a method in A called
+                // by an ExtensionListListener. In those cases, ExtensionList.refresh may be called on a list that already
+                // includes the new extensions. Note that ExtensionComponent objects are always unique, even when
+                // ExtensionComponent.getInstance is identical, so we have to track the components and instances separately
+                // to handle ordinal sorting and check for dupes.
+                List<ExtensionComponent<T>> components = new ArrayList<>(extensions);
+                Set<T> instances = Collections.newSetFromMap(new IdentityHashMap<>());
+                for (ExtensionComponent<T> component : components) {
+                    instances.add(component.getInstance());
+                }
+                boolean fireListeners = false;
+                for (ExtensionComponent<T> newComponent : newComponents) {
+                    if (instances.add(newComponent.getInstance())) {
+                        fireListeners = true;
+                        components.add(newComponent);
+                    }
+                }
+                extensions = sort(new ArrayList<>(components));
+                return fireListeners;
             }
         }
-        if (fireOnChangeListeners) {
-            fireOnChangeListeners();
-        }
+        return false;
     }
 
-    private void fireOnChangeListeners() {
+    @Restricted(NoExternalUse.class)
+    public void fireOnChangeListeners() {
         for (ExtensionListListener listener : listeners) {
             try {
                 listener.onChange();

core/src/main/java/hudson/PluginManager.java

@@ -100,6 +100,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Locale;
@@ -114,7 +115,6 @@
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.Future;
-import java.util.function.Function;
 import java.util.function.Supplier;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
@@ -2661,7 +2661,10 @@ public boolean isActivated() {
         public Map<PluginWrapper, String> getDeprecatedPlugins() {
             return Jenkins.get().getPluginManager().getPlugins().stream()
                     .filter(PluginWrapper::isDeprecated)
-                    .collect(Collectors.toMap(Function.identity(), it -> it.getDeprecations().get(0).url));
+                    .sorted(Comparator.comparing(PluginWrapper::getDisplayName)) // Sort by plugin name
+                    .collect(LinkedHashMap::new,
+                            (map, plugin) -> map.put(plugin, plugin.getDeprecations().get(0).url),
+                            Map::putAll);
         }
     }
 

core/src/main/java/hudson/Util.java

@@ -1651,7 +1651,7 @@ public static boolean isAbsoluteUri(@NonNull String uri) {
      * @since 2.3 / 1.651.2
      */
     public static boolean isSafeToRedirectTo(@NonNull String uri) {
-        return !isAbsoluteUri(uri) && !uri.startsWith("//");
+        return !isAbsoluteUri(uri) && !uri.startsWith("\\") && !uri.replace('\\', '/').startsWith("//");
     }
 
     /**

core/src/main/java/hudson/cli/GetNodeCommand.java

@@ -27,8 +27,11 @@
 import hudson.Extension;
 import hudson.model.Computer;
 import hudson.model.Node;
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import jenkins.model.Jenkins;
+import jenkins.security.ExtendedReadRedaction;
 import org.kohsuke.args4j.Argument;
 
 /**
@@ -52,7 +55,16 @@ protected int run() throws IOException {
 
         node.checkPermission(Computer.EXTENDED_READ);
 
-        Jenkins.XSTREAM2.toXMLUTF8(node, stdout);
+        if (node.hasPermission(Computer.CONFIGURE)) {
+            Jenkins.XSTREAM2.toXMLUTF8(node, stdout);
+        } else {
+            var baos = new ByteArrayOutputStream();
+            Jenkins.XSTREAM2.toXMLUTF8(node, baos);
+            String xml = baos.toString(StandardCharsets.UTF_8);
+
+            xml = ExtendedReadRedaction.applyAll(xml);
+            org.apache.commons.io.IOUtils.write(xml, stdout, StandardCharsets.UTF_8);
+        }
 
         return 0;
     }

core/src/main/java/hudson/cli/GetViewCommand.java

@@ -26,6 +26,9 @@
 
 import hudson.Extension;
 import hudson.model.View;
+import java.io.ByteArrayOutputStream;
+import java.nio.charset.StandardCharsets;
+import jenkins.security.ExtendedReadRedaction;
 import org.kohsuke.args4j.Argument;
 
 /**
@@ -48,7 +51,17 @@ public String getShortDescription() {
     protected int run() throws Exception {
 
         view.checkPermission(View.READ);
-        view.writeXml(stdout);
+
+        if (view.hasPermission(View.CONFIGURE)) {
+            view.writeXml(stdout);
+        } else {
+            var baos = new ByteArrayOutputStream();
+            view.writeXml(baos);
+            String xml = baos.toString(StandardCharsets.UTF_8);
+
+            xml = ExtendedReadRedaction.applyAll(xml);
+            org.apache.commons.io.IOUtils.write(xml, stdout, StandardCharsets.UTF_8);
+        }
 
         return 0;
     }

core/src/main/java/hudson/console/ModelHyperlinkNote.java

@@ -1,6 +1,7 @@
 package hudson.console;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.Computer;
 import hudson.model.Item;
@@ -66,6 +67,7 @@ public static String encodeTo(Label label) {
         return encodeTo("/" + label.getUrl(), label.getName());
     }
 
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static String encodeTo(String url, String text) {
         return HyperlinkNote.encodeTo(url, text, ModelHyperlinkNote::new);
     }

core/src/main/java/hudson/model/AutoCompletionCandidates.java

@@ -25,7 +25,6 @@
 package hudson.model;
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.search.Search;
 import hudson.search.UserSearchProperty;
 import jakarta.servlet.ServletException;
@@ -109,7 +108,6 @@ public static <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T
      *      The nearby contextual {@link ItemGroup} to resolve relative job names from.
      * @since 1.553
      */
-    @SuppressFBWarnings(value = "SBSC_USE_STRINGBUFFER_CONCATENATION", justification = "no big deal")
     public static  <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T> type, final String value, ItemGroup container) {
         final AutoCompletionCandidates candidates = new AutoCompletionCandidates();
         class Visitor extends ItemVisitor {

core/src/main/java/hudson/model/Computer.java

@@ -74,6 +74,7 @@
 import hudson.util.RemotingDiagnostics.HeapDump;
 import hudson.util.RunList;
 import jakarta.servlet.ServletException;
+import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -83,6 +84,7 @@
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
 import java.nio.file.StandardCopyOption;
@@ -110,6 +112,8 @@
 import jenkins.model.IComputer;
 import jenkins.model.IDisplayExecutor;
 import jenkins.model.Jenkins;
+import jenkins.search.SearchGroup;
+import jenkins.security.ExtendedReadRedaction;
 import jenkins.security.ImpersonatingExecutorService;
 import jenkins.security.MasterToSlaveCallable;
 import jenkins.security.stapler.StaplerDispatchable;
@@ -1109,6 +1113,11 @@ public String getSearchUrl() {
         return getUrl();
     }
 
+    @Override
+    public SearchGroup getSearchGroup() {
+        return SearchGroup.get(SearchGroup.ComputerSearchGroup.class);
+    }
+
     /**
      * {@link RetentionStrategy} associated with this computer.
      *
@@ -1526,7 +1535,16 @@ public void doConfigDotXml(StaplerRequest2 req, StaplerResponse2 rsp)
             if (node == null) {
                 throw HttpResponses.notFound();
             }
-            Jenkins.XSTREAM2.toXMLUTF8(node, rsp.getOutputStream());
+            if (hasPermission(CONFIGURE)) {
+                Jenkins.XSTREAM2.toXMLUTF8(node, rsp.getOutputStream());
+            } else {
+                var baos = new ByteArrayOutputStream();
+                Jenkins.XSTREAM2.toXMLUTF8(node, baos);
+                String xml = baos.toString(StandardCharsets.UTF_8);
+
+                xml = ExtendedReadRedaction.applyAll(xml);
+                org.apache.commons.io.IOUtils.write(xml, rsp.getOutputStream(), StandardCharsets.UTF_8);
+            }
             return;
         }
         if (req.getMethod().equals("POST")) {

core/src/main/java/hudson/model/FileParameterValue.java

@@ -164,7 +164,7 @@ public org.apache.commons.fileupload.FileItem getFile() {
     @Override
     public BuildWrapper createBuildWrapper(AbstractBuild<?, ?> build) {
         return new BuildWrapper() {
-            @SuppressFBWarnings(value = {"FILE_UPLOAD_FILENAME", "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"}, justification = "TODO needs triage")
+            @SuppressFBWarnings(value = "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE", justification = "TODO needs triage")
             @Override
             public Environment setUp(AbstractBuild build, Launcher launcher, BuildListener listener) throws IOException, InterruptedException {
                 if (location != null && !location.isEmpty() && file.getName() != null && !file.getName().isEmpty()) {

core/src/main/java/hudson/model/Item.java

@@ -39,6 +39,7 @@
 import java.io.IOException;
 import java.util.Collection;
 import jenkins.model.Jenkins;
+import jenkins.search.SearchGroup;
 import jenkins.util.SystemProperties;
 import jenkins.util.io.OnMaster;
 import org.kohsuke.stapler.StaplerRequest2;
@@ -249,6 +250,11 @@ default void onCreatedFromScratch() {
      */
     void delete() throws IOException, InterruptedException;
 
+    @Override
+    default SearchGroup getSearchGroup() {
+        return SearchGroup.get(SearchGroup.ItemSearchGroup.class);
+    }
+
     PermissionGroup PERMISSIONS = new PermissionGroup(Item.class, Messages._Item_Permissions_Title());
     Permission CREATE =
             new Permission(

core/src/main/java/hudson/model/ModifiableItemGroup.java

@@ -24,11 +24,11 @@
 
 package hudson.model;
 
+import hudson.Util;
 import io.jenkins.servlet.ServletExceptionWrapper;
 import jakarta.servlet.ServletException;
 import java.io.IOException;
 import jenkins.security.stapler.StaplerNotDispatchable;
-import org.kohsuke.stapler.ReflectionUtils;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.StaplerResponse;
@@ -53,7 +53,7 @@ public interface ModifiableItemGroup<T extends Item> extends ItemGroup<T> {
      */
     @RequirePOST
     default T doCreateItem(StaplerRequest2 req, StaplerResponse2 rsp) throws IOException, ServletException {
-        if (ReflectionUtils.isOverridden(
+        if (Util.isOverridden(
                 ModifiableItemGroup.class,
                 getClass(),
                 "doCreateItem",
@@ -76,7 +76,7 @@ default T doCreateItem(StaplerRequest2 req, StaplerResponse2 rsp) throws IOExcep
     @Deprecated
     @StaplerNotDispatchable
     default T doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, javax.servlet.ServletException {
-        if (ReflectionUtils.isOverridden(
+        if (Util.isOverridden(
                 ModifiableItemGroup.class,
                 getClass(),
                 "doCreateItem",

core/src/main/java/hudson/model/UpdateSite.java

@@ -1088,7 +1088,7 @@ public boolean isRelevant() {
          * {@code false} if it does; and {@code null} when the affected component isn't being offered, or it's a warning
          * for something other than core or a plugin.
          */
-        @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL")
+        @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL", justification = "TODO needs triage")
         public Boolean isFixable() {
             final Data data = UpdateSite.this.data;
             if (data == null) {