Backports SECURITY-3669 and SECURITY-3658 fixes missing from this fork (upstream patched 2026-02-15, fork base is 2026-02-10).

SECURITY-3669: Stored XSS → RCE via OfflineCause.UserCause

UserCause.toString() and getMessage() rendered user-controlled offline messages without HTML escaping. Any user with Computer.DISCONNECT (granted to all authenticated users under "Logged-in users can do anything") can inject persistent XSS that fires when an admin views any node page, chaining to RCE via /script:

POST /computer/(built-in)/toggleOffline
offlineMessage=<img src=x onerror="fetch('/script',{method:'POST',body:'script=...'})">

Fix: Wrap both methods with Util.escape():

public String getMessage() {
    return Util.escape(message);
}

@Override
public String toString() {
    return Util.escape(super.toString());
}

CVSS 8.8 — AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

SECURITY-3658: Authorization bypass in RunParameterValue

RunParameterValue accepted arbitrary runId values without verifying the referenced run exists or is accessible. Users with Item.BUILD on one project could reference builds in projects they lack Item.READ on, leaking display names, URLs, and results via environment variables.

Fix: Added existence check via Run.fromExternalizableId() in constructor, which respects ACL. Escape hatch: -Dhudson.model.RunParameterValue.SKIP_EXISTENCE_CHECK=true.

Changes

• OfflineCause.java — HTML-escape UserCause.toString() and getMessage()
• RunParameterValue.java — Validate referenced run exists and is accessible at construction time
• Updated OfflineCauseTest with XSS escaping assertions
• Updated RunParameterValueTest to account for existence check; added RunParameterValueIntegrationTest with @WithJenkins

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.