Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Bamboo groups API error, if group name contain quotes (&quote; , %22 , " )

Joshua Greenman May 1, 2022

Hi 

I have external Active Directory integration with groups that contain quotes in their name (example: che"ck), and since our last upgrade from version 6.10.2 to 8.0.0 we are having trouble to edit plan permission or view group details/members because those requests use the /rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter endpoint that return http error code 400 - bad request.

i tried different tomcat versions (from tomcat 8.5.X to 9.0.X) with no success

i also tried empty tomcat application locally and checked http://localhost:8085/che"ck endpoint that returned http error 404 not found, so i dont think its tomcat issue

i also tried the confluence API (7.13.0) with the same groups with no problem at all.

Any suggestions?

2 answers

0 votes
Shay June 11, 2022
We found in our AD that (groups) SamAccountName values are missing single/double quotes.
So, we decided to switch "Group_Name" from AD CN to AD samAccountName in Bamboo CWD_GROUP table.
In addition, we tried to preserve CWD_GROUP.id in order to maintain existing permissions and prevent the creation of new groups.
We did the following steps:
1.       We synced the samAccountName from AD to CWD_Group.Description.
2.       We took a DB backup and created 3 temp tables from the below:
   a.       CWD_GROUP --> CWD_GROUP_TMP
   b.       CWD_MEMBERSHIP --> CWD_MEMBERSHIP_TMP
   c.       ACL_ENTRY --> ACL_ENTRY_TMP
3.       We switched between CWD_GROUP.group_name (also lower_group_name) and      CWD_GROUP.description (AD.SamAccounName).
4.       We updated cwd_membership.parent_name (and lower_parent_name) from the "new" CWD_GROUP.Group_Name.
5.       We found that we also need to update cwd_membership.child_name (and lower_child_name) when the membership_type is "group_group".
6.        We updated ACL_ENTRY.SID to the "new" Group_Names.
7.       We edited the relevant directory (under "User Directory" -->"Group Schema Setting") and changed the map of "Group Name Attribute" from CN to SamAccountName and ran Full Sync.
Btw, the auto refresh of this page doesn't work.
The steps above seem to solve the problem.
But now when we are clicking on the group_name under Administration --> Groups, the value of Group_Name (SamAccountName) is obtained which is less clear than its display name (CN).
Therefore, in future versions consider presenting the group description (in our case - cn) in addition to the Group_Name.
Thanks in advance,
Shay
0 votes
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2022

Hello @Joshua Greenman

Can you share the full error message so we can understand it better?

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Shay May 3, 2022

Hello Eduardo,

The same error does not occur for users who have quotes in their name.

Looks like you're not encoding the group names.

In addition, when we try to remove those groups from plan permissions, we encounter the same error.

 

Thanks,

Shay

Joshua Greenman May 3, 2022

hi @Eduardo Alvarenga 

i tried to reproduce the problem with the latest bamboo version with bamboo official docker image but the result are the same.


Screenshot.png

Screenshot-podman.png


Joshua

Like Shay likes this
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 4, 2022

Hello @Joshua Greenman

This sounds like a good use for the STRICT_QUOTE_ESCAPING property.

That setting was deprecated on Tomcat 8. Instead, you need to add something like this to your <bamboo-install>/conf/web.xml under servlet class org.apache.jasper.servlet.JspServlet:

<init-param>
<param-name>strictQuoteEscaping</param-name>
<param-value>false</param-value>
</init-param>

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Joshua Greenman May 4, 2022

Hello @Eduardo Alvarenga 

Thank you for answer me unfortunately it didn't help


screenshot.png

Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 4, 2022

Hello @Joshua Greenman

Apologies for the unworking configuration. The following characters are considered "XSS_RELATED_CHARACTERS" and are banned from being used by requests.

[\"'<>\\\\]

I cannot explain at this stage how that worked on older versions of Bamboo. The source code relates to that protection since 2015. Maybe a JDK x Tomcat combination in an older release that got badly implemented.

 

Please refrain from using such characters on groups and usernames.

 

Kind regards,

 

Eduardo Alvarenga
Atlassian Support APAC 

Shay May 10, 2022

Hello @Eduardo,

The same error does not occur for users who have quotes in their name.

Even when you click on Groups in the side menu and then type quotes in the search bar, you get a list of all the groups that have quotes in their name.

Groups—> Search—> “

https://bamboo_url/rest/api/latest/admin/groups?filter=%22&limit=100&start=100&_=xxxxxx

Request Method: Get

Status Code: 200

Can you please check how the following function is different and why the following URL does not work compared to the others above?

 /rest/api/latest/admin/groups/{name : (.+)?}/more-members?filter

In addition, when we try to remove those groups from plan permissions, we encounter the same error (Status Code: 400).

Can you guide us how to remove these problematic groups from plan permissions, directly from Oracle DB? 

Thanks,

Shay

Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2022

Newer versions of Bamboo won't allow users with quotes to be created. You can explore the "acl_entry" table in the database to remove the access lists.

E.g. To find the ACLs of the ABC-DFG plan run the following SQL:

SELECT b.build_id,
b.full_key,
aoi.id,
ae.*
FROM build b
JOIN acl_object_identity aoi
ON b.build_id = aoi.object_id_identity
JOIN acl_entry ae
ON ae.acl_object_identity = aoi.id
WHERE b.full_key = 'ABC-DFG'

For more complete queries please check the following KB:

It is highly advised to open a Support case with Atlassian in case you have more issues with your Bamboo instance. Please do not modify the database directly as it may break things. Have a full backup.

Regards,

Eduardo Alvarenga
Atlassian Support APAC

Like Shay likes this
Shay June 6, 2022

Hello @Eduardo Alvarenga

Thanks a lot for your answer.
We found in our AD that (groups) SamAccountName values are missing single/double quotes.
So, we decided to switch "Group_Name" from AD CN to AD samAccountName in Bamboo CWD_GROUP table.
In addition, we tried to preserve CWD_GROUP.id in order to maintain existing permissions and prevent the creation of new groups.
We did the following steps:
1.       We synced the samAccountName from AD to CWD_Group.Description.
2.       We took a DB backup and created 3 temp tables from the below:
   a.       CWD_GROUP --> CWD_GROUP_TMP
   b.       CWD_MEMBERSHIP --> CWD_MEMBERSHIP_TMP
   c.       ACL_ENTRY --> ACL_ENTRY_TMP
3.       We switched between CWD_GROUP.group_name (also lower_group_name) and      CWD_GROUP.description (AD.SamAccounName).
4.       We updated cwd_membership.parent_name (and lower_parent_name) from the "new" CWD_GROUP.Group_Name.
5.       We found that we also need to update cwd_membership.child_name (and lower_child_name) when the membership_type is "group_group".
6.        We updated ACL_ENTRY.SID to the "new" Group_Names.
7.       We edited the relevant directory (under "User Directory" -->"Group Schema Setting") and changed the map of "Group Name Attribute" from CN to SamAccountName and ran Full Sync.
Btw, the auto refresh of this page doesn't work.
The steps above seem to solve the problem.
But now when we are clicking on the group_name under Administration --> Groups, the value of Group_Name (SamAccountName) is obtained which is less clear than its display name (CN).
Therefore, in future versions consider presenting the group description (in our case - cn) in addition to the Group_Name.
Thanks in advance,
Shay

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events