Add CSP-compliant variant of undocumented validateButton script feature (#20345)

daniel-beck · web-flow · commit d902c897f9a4 · 2025-11-27T18:36:38.000-07:00
* Add CSP-compliant variant of undocumented validateButton script feature

* Prettier / eslint

* Use Function.prototype.apply() as hopefulle HTMLUnit compatible alternative

---------

Co-authored-by: Daniel Beck &lt;daniel-beck@users.noreply.github.com&gt;
diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java
@@ -560,7 +560,7 @@ public HttpResponse doChangeToken(@AncestorInPath User u, StaplerResponse rsp) t
                 p.changeApiToken();
             }
 
-            rsp.setHeader("script", "document.getElementById('apiToken').value='" + p.getApiToken() + "'");
+            rsp.setHeader("X-Jenkins-ValidateButton-Callback", "{\"callback\":\"changeTokenCallback\",\"arguments\":[\"" + p.getApiTokenInsecure() + "\"]}");
             return HttpResponses.html(p.hasPermissionToSeeToken()
                     ? Messages.ApiTokenProperty_ChangeToken_Success()
                     : Messages.ApiTokenProperty_ChangeToken_SuccessHidden());
diff --git a/core/src/main/resources/jenkins/security/ApiTokenProperty/resources.js b/core/src/main/resources/jenkins/security/ApiTokenProperty/resources.js
@@ -32,6 +32,11 @@ Behaviour.specify(
   },
 );
 
+// eslint-disable-next-line no-unused-vars
+function changeTokenCallback(newValue) {
+  document.getElementById("apiToken").value = newValue;
+}
+
 function revokeToken(anchorRevoke) {
   const tokenRow = anchorRevoke.closest(".token-card");
   const confirmMessage = anchorRevoke.getAttribute("data-confirm");
diff --git a/war/src/main/webapp/scripts/hudson-behavior.js b/war/src/main/webapp/scripts/hudson-behavior.js
@@ -2636,6 +2636,16 @@ function validateButton(checkUrl, paramList, button) {
       target.innerHTML = `<div class="validation-error-area" />`;
       updateValidationArea(target.children[0], responseText);
       layoutUpdateCallback.call();
+      let json = rsp.headers.get("X-Jenkins-ValidateButton-Callback");
+      if (json != null) {
+        let callInfo = JSON.parse(json);
+        let callback = callInfo["callback"];
+        let args = callInfo["arguments"];
+        if (window[callback] && typeof window[callback] === "function") {
+          window[callback].apply(window, args);
+        }
+      }
+
       var s = rsp.headers.get("script");
       try {
         geval(s);

Original file line number	Diff line number	Diff line change
`@@ -560,7 +560,7 @@ public HttpResponse doChangeToken(@AncestorInPath User u, StaplerResponse rsp) t`
`560`	`560`	`p.changeApiToken();`
`561`	`561`	`}`
`562`	`562`
`563`		`- rsp.setHeader("script", "document.getElementById('apiToken').value='" + p.getApiToken() + "'");`
	`563`	`+ rsp.setHeader("X-Jenkins-ValidateButton-Callback", "{\"callback\":\"changeTokenCallback\",\"arguments\":[\"" + p.getApiTokenInsecure() + "\"]}");`
`564`	`564`	`return HttpResponses.html(p.hasPermissionToSeeToken()`
`565`	`565`	`? Messages.ApiTokenProperty_ChangeToken_Success()`
`566`	`566`	`: Messages.ApiTokenProperty_ChangeToken_SuccessHidden());`