Hi
I have external Active Directory integration with groups that contain quotes in their name (example: che"ck), and since our last upgrade from version 6.10.2 to 8.0.0 we are having trouble to edit plan permission or view group details/members because those requests use the /rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter endpoint that return http error code 400 - bad request.
i tried different tomcat versions (from tomcat 8.5.X to 9.0.X) with no success
i also tried empty tomcat application locally and checked http://localhost:8085/che"ck endpoint that returned http error 404 not found, so i dont think its tomcat issue
i also tried the confluence API (7.13.0) with the same groups with no problem at all.
Any suggestions?
Hello @Joshua Greenman
Can you share the full error message so we can understand it better?
Regards,
Eduardo Alvarenga
Atlassian Support APAC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
i tried to reproduce the problem with the latest bamboo version with bamboo official docker image but the result are the same.
Joshua
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Joshua Greenman
This sounds like a good use for the STRICT_QUOTE_ESCAPING property.
That setting was deprecated on Tomcat 8. Instead, you need to add something like this to your <bamboo-install>/conf/web.xml under servlet class org.apache.jasper.servlet.JspServlet:
<init-param>
<param-name>strictQuoteEscaping</param-name>
<param-value>false</param-value>
</init-param>
Regards,
Eduardo Alvarenga
Atlassian Support APAC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Joshua Greenman
Apologies for the unworking configuration. The following characters are considered "XSS_RELATED_CHARACTERS" and are banned from being used by requests.
[\"'<>\\\\]
I cannot explain at this stage how that worked on older versions of Bamboo. The source code relates to that protection since 2015. Maybe a JDK x Tomcat combination in an older release that got badly implemented.
Please refrain from using such characters on groups and usernames.
Kind regards,
Eduardo Alvarenga
Atlassian Support APAC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Eduardo,
The same error does not occur for users who have quotes in their name.
Even when you click on Groups in the side menu and then type quotes in the search bar, you get a list of all the groups that have quotes in their name.
Groups—> Search—> “
https://bamboo_url/rest/api/latest/admin/groups?filter=%22&limit=100&start=100&_=xxxxxx
Request Method: Get
Status Code: 200
Can you please check how the following function is different and why the following URL does not work compared to the others above?
/rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter
In addition, when we try to remove those groups from plan permissions, we encounter the same error (Status Code: 400).
Can you guide us how to remove these problematic groups from plan permissions, directly from Oracle DB?
Thanks,
Shay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Newer versions of Bamboo won't allow users with quotes to be created. You can explore the "acl_entry" table in the database to remove the access lists.
E.g. To find the ACLs of the ABC-DFG plan run the following SQL:
SELECT b.build_id,
b.full_key,
aoi.id,
ae.*
FROM build b
JOIN acl_object_identity aoi
ON b.build_id = aoi.object_id_identity
JOIN acl_entry ae
ON ae.acl_object_identity = aoi.id
WHERE b.full_key = 'ABC-DFG'
For more complete queries please check the following KB:
It is highly advised to open a Support case with Atlassian in case you have more issues with your Bamboo instance. Please do not modify the database directly as it may break things. Have a full backup.
Regards,
Eduardo Alvarenga
Atlassian Support APAC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Eduardo Alvarenga
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.