Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,458,582
Community Members
 
Community Events
176
Community Groups

Bamboo groups API error, if group name contain quotes (&quote; , %22 , " )

Hi 

I have external Active Directory integration with groups that contain quotes in their name (example: che"ck), and since our last upgrade from version 6.10.2 to 8.0.0 we are having trouble to edit plan permission or view group details/members because those requests use the /rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter endpoint that return http error code 400 - bad request.

i tried different tomcat versions (from tomcat 8.5.X to 9.0.X) with no success

i also tried empty tomcat application locally and checked http://localhost:8085/che"ck endpoint that returned http error 404 not found, so i dont think its tomcat issue

i also tried the confluence API (7.13.0) with the same groups with no problem at all.

Any suggestions?

2 answers

We found in our AD that (groups) SamAccountName values are missing single/double quotes.
So, we decided to switch "Group_Name" from AD CN to AD samAccountName in Bamboo CWD_GROUP table.
In addition, we tried to preserve CWD_GROUP.id in order to maintain existing permissions and prevent the creation of new groups.
We did the following steps:
1.       We synced the samAccountName from AD to CWD_Group.Description.
2.       We took a DB backup and created 3 temp tables from the below:
   a.       CWD_GROUP --> CWD_GROUP_TMP
   b.       CWD_MEMBERSHIP --> CWD_MEMBERSHIP_TMP
   c.       ACL_ENTRY --> ACL_ENTRY_TMP
3.       We switched between CWD_GROUP.group_name (also lower_group_name) and      CWD_GROUP.description (AD.SamAccounName).
4.       We updated cwd_membership.parent_name (and lower_parent_name) from the "new" CWD_GROUP.Group_Name.
5.       We found that we also need to update cwd_membership.child_name (and lower_child_name) when the membership_type is "group_group".
6.        We updated ACL_ENTRY.SID to the "new" Group_Names.
7.       We edited the relevant directory (under "User Directory" -->"Group Schema Setting") and changed the map of "Group Name Attribute" from CN to SamAccountName and ran Full Sync.
Btw, the auto refresh of this page doesn't work.
The steps above seem to solve the problem.
But now when we are clicking on the group_name under Administration --> Groups, the value of Group_Name (SamAccountName) is obtained which is less clear than its display name (CN).
Therefore, in future versions consider presenting the group description (in our case - cn) in addition to the Group_Name.
Thanks in advance,
Shay
0 votes

Hello @Joshua Greenman

Can you share the full error message so we can understand it better?

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Hello Eduardo,

The same error does not occur for users who have quotes in their name.

Looks like you're not encoding the group names.

In addition, when we try to remove those groups from plan permissions, we encounter the same error.

 

Thanks,

Shay

hi @Eduardo Alvarenga 

i tried to reproduce the problem with the latest bamboo version with bamboo official docker image but the result are the same.


Screenshot.png

Screenshot-podman.png


Joshua

Like Shay likes this

Hello @Joshua Greenman

This sounds like a good use for the STRICT_QUOTE_ESCAPING property.

That setting was deprecated on Tomcat 8. Instead, you need to add something like this to your <bamboo-install>/conf/web.xml under servlet class org.apache.jasper.servlet.JspServlet:

<init-param>
<param-name>strictQuoteEscaping</param-name>
<param-value>false</param-value>
</init-param>

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Hello @Eduardo Alvarenga 

Thank you for answer me unfortunately it didn't help


screenshot.png

Hello @Joshua Greenman

Apologies for the unworking configuration. The following characters are considered "XSS_RELATED_CHARACTERS" and are banned from being used by requests.

[\"'<>\\\\]

I cannot explain at this stage how that worked on older versions of Bamboo. The source code relates to that protection since 2015. Maybe a JDK x Tomcat combination in an older release that got badly implemented.

 

Please refrain from using such characters on groups and usernames.

 

Kind regards,

 

Eduardo Alvarenga
Atlassian Support APAC 

Hello @Eduardo,

The same error does not occur for users who have quotes in their name.

Even when you click on Groups in the side menu and then type quotes in the search bar, you get a list of all the groups that have quotes in their name.

Groups—> Search—> “

https://bamboo_url/rest/api/latest/admin/groups?filter=%22&limit=100&start=100&_=xxxxxx

Request Method: Get

Status Code: 200

Can you please check how the following function is different and why the following URL does not work compared to the others above?

 /rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter

In addition, when we try to remove those groups from plan permissions, we encounter the same error (Status Code: 400).

Can you guide us how to remove these problematic groups from plan permissions, directly from Oracle DB? 

Thanks,

Shay

Newer versions of Bamboo won't allow users with quotes to be created. You can explore the "acl_entry" table in the database to remove the access lists.

E.g. To find the ACLs of the ABC-DFG plan run the following SQL:

SELECT b.build_id,
b.full_key,
aoi.id,
ae.*
FROM build b
JOIN acl_object_identity aoi
ON b.build_id = aoi.object_id_identity
JOIN acl_entry ae
ON ae.acl_object_identity = aoi.id
WHERE b.full_key = 'ABC-DFG'

For more complete queries please check the following KB:

It is highly advised to open a Support case with Atlassian in case you have more issues with your Bamboo instance. Please do not modify the database directly as it may break things. Have a full backup.

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Like Shay likes this

Hello @Eduardo Alvarenga

Thanks a lot for your answer.
We found in our AD that (groups) SamAccountName values are missing single/double quotes.
So, we decided to switch "Group_Name" from AD CN to AD samAccountName in Bamboo CWD_GROUP table.
In addition, we tried to preserve CWD_GROUP.id in order to maintain existing permissions and prevent the creation of new groups.
We did the following steps:
1.       We synced the samAccountName from AD to CWD_Group.Description.
2.       We took a DB backup and created 3 temp tables from the below:
   a.       CWD_GROUP --> CWD_GROUP_TMP
   b.       CWD_MEMBERSHIP --> CWD_MEMBERSHIP_TMP
   c.       ACL_ENTRY --> ACL_ENTRY_TMP
3.       We switched between CWD_GROUP.group_name (also lower_group_name) and      CWD_GROUP.description (AD.SamAccounName).
4.       We updated cwd_membership.parent_name (and lower_parent_name) from the "new" CWD_GROUP.Group_Name.
5.       We found that we also need to update cwd_membership.child_name (and lower_child_name) when the membership_type is "group_group".
6.        We updated ACL_ENTRY.SID to the "new" Group_Names.
7.       We edited the relevant directory (under "User Directory" -->"Group Schema Setting") and changed the map of "Group Name Attribute" from CN to SamAccountName and ran Full Sync.
Btw, the auto refresh of this page doesn't work.
The steps above seem to solve the problem.
But now when we are clicking on the group_name under Administration --> Groups, the value of Group_Name (SamAccountName) is obtained which is less clear than its display name (CN).
Therefore, in future versions consider presenting the group description (in our case - cn) in addition to the Group_Name.
Thanks in advance,
Shay

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events