Fix XSS vulnerability, modernize build, and fix API deprecations#138
Open
mbSmaga wants to merge 5 commits intojenkinsci:masterfrom
Open
Fix XSS vulnerability, modernize build, and fix API deprecations#138mbSmaga wants to merge 5 commits intojenkinsci:masterfrom
mbSmaga wants to merge 5 commits intojenkinsci:masterfrom
Conversation
Escape Docker API response values rendered in dashboard Jelly templates to prevent stored cross-site scripting attacks. - Add getSafeId() to SwarmNode for XSS-safe HTML element IDs - Escape node hostname, role, and service names with <j:out> tags - Escape build display names and queue item values - Sanitize JSON output to prevent </script> tag injection
Cherry-picked from jenkinsci#130. Adds volumeDir field to agent template for specifying plain Docker volumes, improves cacheDir help, sets default cache driver to local.
Cherry-picked Java changes from jenkinsci#137. Docker API 1.44 deprecated ServiceSpec.Networks in favor of TaskTemplate.Networks. Without this fix, Docker 29+ starts agents on the bridge network instead of the configured swarm network.
Cherry-picked from jenkinsci#133, with additional dependency cleanup: remove old pinned jackson/docker-java-api versions, let BOM manage versions, add jackson2-api plugin dependency.
Provide the standard agent launch command (curl agent.jar && java hudson.remoting.jnlp.Main) as the default when unixCommand is empty, matching the default shown in the config UI. Also annotate ContainerSpec.Command with @JsonInclude(NON_EMPTY) so that an explicitly empty command omits the field from JSON, letting Docker use the image entrypoint. Previously an empty command sent Command:[] to Docker, which could override the image entrypoint depending on Docker version and Jackson serialization context.
This was referenced Apr 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
node.name,node.role,build.fullDisplayName,task.service.Spec.Name, queue item fields) using<j:out>in Jelly templates. AddgetSafeId()toSwarmNodefor XSS-safe DOM element IDs. Sanitize JSON chart data output to prevent</script>injection.jenkins.versionto 2.462.3, updatebomto 3435.v238d66a_043fb_, replace deprecatedjava.levelwithmaven.compiler.release, and remove obsoletefindbugs/animal-snifferconfigurations.NetworksfromServiceSpectoTaskTemplateto align with the current Docker Swarm API.volumeDirconfig field onDockerSwarmAgentTemplatefor persistent named volumes, and add inline help descriptions for bothcacheDirandvolumeDir.unixCommandis empty, fall back to the standard JNLP agent launch command instead of sending an empty command array to Docker.Test plan
mvn verifyon Java 11+