java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>

Atlassian JIRA | Jaime Silveira [Atlassian] | 2 years ago
tip
Click on the to mark the solution that helps you, Samebug will learn from it.
As a community member, you’ll be rewarded for you help.
  1. 0

    In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this: !branch_author.png|thumbnail! We can see if follows this patterns: Display name <user@domain.com> When clicking this user, we get this 'Internal Server Error Page': !error_page.png|thumbnail! The following stacktrace is shown: {noformat} java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com> at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157) at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145) at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53) at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) {noformat} Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows: {noformat} https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com> {noformat} We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo. *Steps to Reproduce* # Have a plan connected to a repository in Bamboo # Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build # This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it *Expected Behavior* * Either some information about the user is shown or a message saying it doesn't exist in Bamboo *Actual Behavior* * An Internal Server Error Page is shown

    Atlassian JIRA | 2 years ago | Jaime Silveira [Atlassian]
    java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>
  2. 0

    In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this: !branch_author.png|thumbnail! We can see if follows this patterns: Display name <user@domain.com> When clicking this user, we get this 'Internal Server Error Page': !error_page.png|thumbnail! The following stacktrace is shown: {noformat} java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com> at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157) at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145) at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53) at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) {noformat} Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows: {noformat} https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com> {noformat} We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo. *Steps to Reproduce* # Have a plan connected to a repository in Bamboo # Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build # This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it *Expected Behavior* * Either some information about the user is shown or a message saying it doesn't exist in Bamboo *Actual Behavior* * An Internal Server Error Page is shown

    Atlassian JIRA | 2 years ago | Jaime Silveira [Atlassian]
    java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>

    Root Cause Analysis

    1. java.lang.IllegalArgumentException

      Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>

      at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss()
    2. com.atlassian.bamboo
      RequestCacheThreadLocalFilter.doFilter
      1. com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157)
      2. com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145)
      3. com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53)
      4. com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31)
      4 frames
    3. Glassfish Core
      ApplicationFilterChain.doFilter
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      2 frames
    4. com.atlassian.core
      HeaderSanitisingFilter.doFilter
      1. com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32)
      1 frame
    5. Glassfish Core
      ApplicationFilterChain.doFilter
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      2 frames
    6. com.atlassian.plugin
      DelegatingPluginFilter$1.doFilter
      1. com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
      2. com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70)
      2 frames