Merge branch 'master' into update-forms

.github/workflows/changelog.yml

@@ -17,7 +17,7 @@ jobs:
       # Drafts your next Release notes as Pull Requests are merged into "master"
       - name: Generate GitHub Release Draft
         id: release-drafter
-        uses: release-drafter/release-drafter@v5.15.0
+        uses: release-drafter/release-drafter@v5.17.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # Generates a YAML changelog file using https://github.com/jenkinsci/jenkins-core-changelog-generator

bom/pom.xml

@@ -39,7 +39,7 @@ THE SOFTWARE.
 
   <properties>
     <asm.version>9.2</asm.version>
-    <slf4jVersion>1.7.32</slf4jVersion>
+    <slf4jVersion>1.7.33</slf4jVersion>
     <stapler.version>1638.v229a_24fa_b_17c</stapler.version>
     <groovy.version>2.4.21</groovy.version>
   </properties>
@@ -319,11 +319,6 @@ THE SOFTWARE.
         <artifactId>symbol-annotation</artifactId>
         <version>1.1</version>
       </dependency>
-      <dependency>
-        <groupId>com.sun.mail</groupId>
-        <artifactId>jakarta.mail</artifactId>
-        <version>1.6.5</version>
-      </dependency>
 
       <!--XStream-->
       <dependency>

core/pom.xml

@@ -280,10 +280,6 @@ THE SOFTWARE.
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-compress</artifactId>
     </dependency>
-    <dependency>
-      <groupId>com.sun.mail</groupId>
-      <artifactId>jakarta.mail</artifactId>
-    </dependency>
     <dependency>
       <groupId>jaxen</groupId>
       <artifactId>jaxen</artifactId>

core/src/main/java/hudson/model/Label.java

@@ -32,6 +32,7 @@
 import com.thoughtworks.xstream.converters.UnmarshallingContext;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Util;
 import hudson.model.labels.LabelAtom;
@@ -134,6 +135,7 @@ protected boolean matches(Queue.Item item, SubTask subTask) {
     /**
      * Alias for {@link #getDisplayName()}.
      */
+    @NonNull
     @Exported(visibility = 2)
     public final String getName() {
         return getDisplayName();
@@ -584,7 +586,8 @@ public Object unmarshal(HierarchicalStreamReader reader, final UnmarshallingCont
      *      so that the caller can add more to the set.
      * @since 1.308
      */
-    public static Set<LabelAtom> parse(String labels) {
+    @NonNull
+    public static Set<LabelAtom> parse(@CheckForNull String labels) {
         final Set<LabelAtom> r = new TreeSet<>();
         labels = fixNull(labels);
         if (labels.length() > 0) {
@@ -598,6 +601,7 @@ public static Set<LabelAtom> parse(String labels) {
     /**
      * Obtains a label by its {@linkplain #getName() name}.
      */
+    @CheckForNull
     public static Label get(String l) {
         return Jenkins.get().getLabel(l);
     }
@@ -607,7 +611,7 @@ public static Label get(String l) {
      *
      * TODO: replace this with a real parser later
      */
-    public static Label parseExpression(String labelExpression) throws ANTLRException {
+    public static Label parseExpression(@NonNull String labelExpression) throws ANTLRException {
         LabelExpressionLexer lexer = new LabelExpressionLexer(new StringReader(labelExpression));
         return new LabelExpressionParser(lexer).expr();
     }

core/src/main/java/hudson/model/labels/LabelAtom.java

@@ -29,6 +29,7 @@
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
 import hudson.BulkChange;
 import hudson.CopyOnWrite;
@@ -87,7 +88,7 @@ public class LabelAtom extends Label implements Saveable {
 
     private String description;
 
-    public LabelAtom(String name) {
+    public LabelAtom(@NonNull String name) {
         super(name);
     }
 
@@ -111,6 +112,7 @@ public String getExpression() {
      * should do so by implementing {@link LabelAtomProperty#getActions(LabelAtom)}.
      */
     @SuppressWarnings("deprecation")
+    @NonNull
     @Override
     public List<Action> getActions() {
         // add all the transient actions, too

core/src/main/java/hudson/model/labels/LabelExpression.java

@@ -37,6 +37,7 @@
 import hudson.util.FormValidation;
 import hudson.util.VariableResolver;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import jenkins.model.Jenkins;
@@ -286,14 +287,15 @@ public static FormValidation validate(@Nullable String expression, @CheckForNull
         }
         final Jenkins j = Jenkins.get();
         Label l = j.getLabel(expression);
-        if (l.isEmpty()) {
+        if (l == null || l.isEmpty()) {
             final LabelAtom masterLabel = LabelAtom.get("master");
-            if (!masterLabel.equals(Jenkins.get().getSelfLabel()) && l.listAtoms().contains(masterLabel) && masterLabel.isEmpty()) {
+            final Set<LabelAtom> labelAtoms = (l == null ? Collections.emptySet() : l.listAtoms());
+            if (!masterLabel.equals(Jenkins.get().getSelfLabel()) && labelAtoms.contains(masterLabel) && masterLabel.isEmpty()) {
                 // Show a warning if this expression's lack of nodes and clouds is likely caused by the built-in node name migration.
                 // This can probably be done better (e.g. also when `!l.isEmpty()`), but it's a start.
                 return FormValidation.warningWithMarkup(Messages.LabelExpression_ObsoleteMasterLabel());
             }
-            for (LabelAtom a : l.listAtoms()) {
+            for (LabelAtom a : labelAtoms) {
                 if (a.isEmpty()) {
                     LabelAtom nearest = LabelAtom.findNearest(a.getName());
                     return FormValidation.warning(Messages.LabelExpression_NoMatch_DidYouMean(a.getName(), nearest.getDisplayName()));

core/src/main/java/hudson/scm/SCM.java

@@ -175,8 +175,8 @@ public boolean supportsPolling() {
      *
      * <p>
      * This flag affects the behavior of Hudson when a job lost its workspace
-     * (typically due to a agent outage.) If this method returns false and
-     * polling is configured, then that would immediately trigger a new build.
+     * (typically due to a agent outage.) If this method returns true and
+     * polling is configured, then that would usually trigger a new build.
      *
      * <p>
      * This flag also affects the mutual exclusion control between builds and polling.

core/src/main/java/jenkins/model/Jenkins.java

@@ -2051,6 +2051,7 @@ public Computer[] getComputers() {
      * @return null if name is null.
      * @see Label#parseExpression(String) (String)
      */
+    @CheckForNull
     public Label getLabel(String expr) {
         if (expr == null)  return null;
         expr = QuotedStringTokenizer.unquote(expr);

core/src/main/resources/jenkins/split-plugin-cycles.txt

@@ -32,3 +32,7 @@ junit jaxb
 bouncycastle-api jaxb
 command-launcher jaxb
 jdk-tool jaxb
+
+javax-activation-api javax-mail-api
+javax-activation-api sshd
+javax-mail-api sshd

core/src/main/resources/jenkins/split-plugins.txt

@@ -34,3 +34,6 @@ trilead-api 2.184 1.0.4
 
 # JENKINS-64107
 sshd 2.281 3.0.1
+
+javax-activation-api 2.330 1.2.0-2
+javax-mail-api 2.330 1.6.2-5

core/src/main/resources/lib/hudson/buildCaption.jelly

@@ -28,6 +28,10 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
 	<h1 class="build-caption page-headline">
+    <l:icon alt="${it.iconColor.description}" class="${it.buildStatusIconClassName} icon-xlg" tooltip="${it.iconColor.description}"/>
+    <span class="jenkins-icon-adjacent">
+      <d:invokeBody trim="true"/>
+    </span>
 	  <j:if test="${it.building}">
 	    <div class="build-caption-progress-container" style="float:right">
 	      <table class="middle-align"><tr>
@@ -43,8 +47,6 @@ THE SOFTWARE.
 	      </tr></table>
 	    </div>
 	  </j:if>
-
-	  <l:icon alt="${it.iconColor.description}" class="${it.buildStatusIconClassName} icon-xlg" tooltip="${it.iconColor.description}"/>
         <script>
           (function(){
             function updateBuildCaptionIcon(){
@@ -71,8 +73,5 @@ THE SOFTWARE.
 
           })();
         </script>
-        <span class="jenkins-icon-adjacent">
-          <d:invokeBody trim="true"/>
-        </span>
     </h1>
 </j:jelly>

core/src/test/java/hudson/UtilTest.java

@@ -46,7 +46,7 @@
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.AccessDeniedException;
+import java.nio.file.FileSystemException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -676,7 +676,7 @@ public void createDirectoriesInRoot() throws Exception {
             assertEquals(newDirInRoot.resolve("new1"), Util.createDirectories(newDirInRoot.resolve("new1")).toRealPath());
             Util.createSymlink(newSymlinkInRoot.getParent().toFile(), newDirInRoot.getFileName().toString(), newSymlinkInRoot.getFileName().toString(), TaskListener.NULL);
             assertEquals(newDirInRoot.resolve("new2"), Util.createDirectories(newSymlinkInRoot.resolve("new2")).toRealPath());
-        } catch (AccessDeniedException e) {
+        } catch (FileSystemException e) {
             // Not running as root
             assumeNoException(e);
         }

pom.xml

@@ -70,7 +70,7 @@ THE SOFTWARE.
   </issueManagement>
 
   <properties>
-    <revision>2.331</revision>
+    <revision>2.332</revision>
     <changelist>-SNAPSHOT</changelist>
 
     <!-- *.html files are in UTF-8, and *.properties are in iso-8859-1, so this configuration is actually incorrect,
@@ -102,7 +102,7 @@ THE SOFTWARE.
     <bridge-method-injector.version>1.23</bridge-method-injector.version>
     <junit.jupiter.version>5.8.2</junit.jupiter.version>
     <mockito.version>4.2.0</mockito.version>
-    <spotless.version>2.19.2</spotless.version>
+    <spotless.version>2.20.0</spotless.version>
   </properties>
 
   <dependencyManagement>

test/pom.xml

@@ -83,7 +83,7 @@ THE SOFTWARE.
     <dependency>
       <groupId>${project.groupId}</groupId>
       <artifactId>jenkins-test-harness</artifactId>
-      <version>1690.vfcb_959006c07</version>
+      <version>1682.v4a_71b_f124ca_3</version>
       <scope>test</scope>
       <exclusions>
         <exclusion>
@@ -118,7 +118,13 @@ THE SOFTWARE.
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>mailer</artifactId>
-      <version>391.ve4a_38c1b_cf4b_</version>
+      <version>408.vd726a_1130320</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.jenkins.plugins</groupId>
+      <artifactId>javax-mail-api</artifactId>
+      <version>1.6.2-5</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -136,7 +142,7 @@ THE SOFTWARE.
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>matrix-project</artifactId>
-      <version>1.19</version>
+      <version>1.20</version>
       <scope>test</scope>
     </dependency>
     <dependency>

test/src/test/java/hudson/model/BuildAuthorizationTokenTest.java

@@ -15,9 +15,11 @@
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.MockAuthorizationStrategy;
 
+// TODO : Using the @Nested class might be cleaner for SECURITY-2558 tests
 public class BuildAuthorizationTokenTest {
 
     @Rule
@@ -33,6 +35,47 @@ public void setupSecurity() {
                                                     .grant(Item.READ).everywhere().toEveryone());
     }
 
+    @Test
+    @Issue("SECURITY-2558")
+    public void triggerJobWithoutSecurityRealm_ShouldSucceed_WithPost() throws Exception {
+        jr.jenkins.setSecurityRealm(null);
+        jr.jenkins.setAuthorizationStrategy(null);
+        FreeStyleProject project = createFreestyleProjectWithToken();
+        JenkinsRule.WebClient wc = jr.createWebClient();
+        wc.getPage(wc.addCrumb(new WebRequest(new URL(jr.getURL(), project.getUrl() +
+                "build?delay=0"),
+                HttpMethod.POST)));
+        jr.waitUntilNoActivity();
+        assertThat("the project should have been built", project.getBuilds(), hasSize(1));
+    }
+
+    @Test
+    @Issue("SECURITY-2558")
+    public void triggerJobWithoutSecurityRealm_ShouldFail_WithGet() throws Exception {
+        jr.jenkins.setSecurityRealm(null);
+        jr.jenkins.setAuthorizationStrategy(null);
+        FreeStyleProject project = jr.createFreeStyleProject();
+        JenkinsRule.WebClient wc = jr.createWebClient();
+        FailingHttpStatusCodeException fex = assertThrows(
+                "should not reach here since only POST request can",
+                FailingHttpStatusCodeException.class,
+                () -> wc.getPage(new WebRequest(new URL(jr.getURL(), project.getUrl() + "build?delay=0"), HttpMethod.GET)));
+        assertThat("Should fail with method not allowed", fex.getStatusCode(), is(405));
+    }
+
+    @Test
+    @Issue("SECURITY-2558")
+    public void triggerJobWithoutSecurityRealm_ButWithToken_ShouldSucceed_WithGet() throws Exception {
+        jr.jenkins.setSecurityRealm(null);
+        jr.jenkins.setAuthorizationStrategy(null);
+        FreeStyleProject project = createFreestyleProjectWithToken();
+        JenkinsRule.WebClient wc = jr.createWebClient();
+        wc.getPage(new WebRequest(new URL(jr.getURL(), project.getUrl() + "build?delay=0&token=" + token),
+                HttpMethod.GET));
+        jr.waitUntilNoActivity();
+        assertThat("the project should have been built", project.getBuilds(), hasSize(1));
+    }
+
     @Test
     public void triggerJobWithTokenShouldSucceedWithPost() throws Exception {
         FreeStyleProject project = createFreestyleProjectWithToken();