Merge branch 'master' into chore/remove-commons-lang-2.6

Author: alecharp

.github/workflows/announce-lts-rc.yml

@@ -17,7 +17,7 @@ jobs:
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@6e71c855c9a091d80a519621b9fd3e8d252ca40c # v7
+        uses: dawidd6/action-send-mail@62a2d05b79935ad4fb90ce9079928099579c14ac # v9
         with:
           server_address: smtp.gmail.com
           server_port: 465

.stylelintrc.js

@@ -17,5 +17,6 @@ module.exports = {
     "number-max-precision": 5,
     "no-duplicate-selectors": null,
     "hue-degree-notation": "number",
+    "scss/operator-no-newline-after": null,
   },
 };

Jenkinsfile

@@ -71,7 +71,7 @@ axes.values().combinations {
     }
     int retryCount = 0
     retry(conditions: [kubernetesAgent(handleNonKubernetes: true), nonresumable()], count: 2) {
-      if (retryCount == 1 && platform == 'windows' ) {
+      if (retryCount == 1) {
         agentContainerLabel = agentContainerLabel + '-nonspot'
       }
       // Increment before allocating the node in case it fails

ath.sh

@@ -6,7 +6,7 @@ set -o xtrace
 cd "$(dirname "$0")"
 
 # https://github.com/jenkinsci/acceptance-test-harness/releases
-export ATH_VERSION=6535.v65db_170d2a_03
+export ATH_VERSION=6536.vedb_8c398315e
 
 if [[ $# -eq 0 ]]; then
 	export JDK=21

bom/pom.xml

@@ -41,7 +41,7 @@ THE SOFTWARE.
     <commons-fileupload2.version>2.0.0-M4</commons-fileupload2.version>
     <groovy.version>2.4.21</groovy.version>
     <jelly.version>1.1-jenkins-20250731</jelly.version>
-    <stapler.version>2065.v7db_c1fcf0a_d0</stapler.version>
+    <stapler.version>2074.v6ff4fa_fccff7</stapler.version>
   </properties>
 
   <dependencyManagement>
@@ -109,7 +109,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>commons-codec</groupId>
         <artifactId>commons-codec</artifactId>
-        <version>1.20.0</version>
+        <version>1.21.0</version>
       </dependency>
       <dependency>
         <groupId>commons-collections</groupId>

cli/pom.xml

@@ -15,7 +15,7 @@
   <url>https://github.com/jenkinsci/jenkins</url>
 
   <properties>
-    <mina-sshd.version>2.16.0</mina-sshd.version>
+    <mina-sshd.version>2.17.1</mina-sshd.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
   </properties>

core/src/main/java/hudson/Functions.java

@@ -170,6 +170,7 @@
 import jenkins.model.details.Detail;
 import jenkins.model.details.DetailFactory;
 import jenkins.model.details.DetailGroup;
+import jenkins.telemetry.impl.PasswordMasking;
 import jenkins.util.SystemProperties;
 import org.apache.commons.jelly.JellyContext;
 import org.apache.commons.jelly.JellyTagException;
@@ -2256,32 +2257,64 @@ public String getPasswordValue(Object o) {
         if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
             if (req != null) {
                 if (NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK) {
+                    List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     Item item = req.findAncestorObject(Item.class);
                     if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            item.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                     Computer computer = req.findAncestorObject(Computer.class);
                     if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            computer.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                 } else {
                     List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     for (Ancestor ancestor : Iterators.reverse(ancestors)) {
                         Object type = ancestor.getObject();
                         if (type instanceof Item item) {
                             if (!item.hasPermission(Item.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    item.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof Computer computer) {
                             if (!computer.hasPermission(Computer.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    computer.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof View view) {
                             if (!view.hasPermission(View.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    view.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;

core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java

@@ -34,6 +34,7 @@
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import jenkins.security.stapler.StaplerDispatchable;
+import jenkins.util.ClientHttpRedirect;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
@@ -127,7 +128,7 @@ public HttpResponse doAct(@QueryParameter String no) throws IOException {
             // of course the irony is that this redirect won't work
             return HttpResponses.redirectViaContextPath("/manage");
         } else {
-            return new HttpRedirect("https://www.jenkins.io/redirect/troubleshooting/broken-reverse-proxy");
+            return new ClientHttpRedirect("https://www.jenkins.io/redirect/troubleshooting/broken-reverse-proxy");
         }
     }
 

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

@@ -24,15 +24,17 @@
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import jenkins.security.HexStringConfidentialKey;
+import jenkins.util.ClientHttpRedirect;
 import jenkins.util.SystemProperties;
 import net.sf.json.JSONObject;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest2;
-import org.kohsuke.stapler.StaplerResponse2;
 import org.kohsuke.stapler.verb.POST;
 import org.springframework.security.core.Authentication;
 
@@ -181,15 +183,14 @@ public String getDisplayName() {
         }
 
         @POST
-        public void doAct(StaplerRequest2 req, StaplerResponse2 rsp, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
+        public HttpResponse doAct(StaplerRequest2 req, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
             if (learn != null) {
-                rsp.sendRedirect("https://www.jenkins.io/redirect/csrf-protection/");
-                return;
+                return new ClientHttpRedirect("https://www.jenkins.io/redirect/csrf-protection/");
             }
             if (dismiss != null) {
                 disable(true);
             }
-            rsp.forwardToPreviousPage(req);
+            return HttpResponses.forwardToPreviousPage();
         }
     }
 

core/src/main/java/hudson/util/HttpResponses.java

@@ -31,6 +31,7 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
+import jenkins.util.ClientHttpRedirect;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.HttpResponse;
@@ -51,6 +52,16 @@ public static HttpResponse staticResource(File f) throws IOException {
         return staticResource(f.toURI().toURL());
     }
 
+    /**
+     * Redirect to the given URL via a client-side JS/meta tag redirect.
+     * @param url the URL to redirect to
+     * @return the HttpResponse
+     * @since TODO
+     */
+    public static HttpResponse clientRedirectTo(String url) {
+        return new ClientHttpRedirect(url);
+    }
+
     /**
      * Create an empty "ok" response.
      *