Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34753

Sec-170-releated: gerrit-trigger needs to declare parameters

    Details

    • Similar Issues:

      Description

      Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
      See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

      Major impacts:

      • Undeclared vars are not present anymore
      • log flooding with (list really contains all gerrit trigger vars):

      A workaround is possible by setting system properties.

      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_EVENT_TYPE` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_EVENT_HASH` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_TOPIC` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_CHANGE_NUMBER` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      

      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter

        Attachments

          Issue Links

            Activity

            Hide
            pedersen Björn Pedersen added a comment -
            Show
            pedersen Björn Pedersen added a comment - Fix is released, so I think this can be closed. https://wiki.jenkins-ci.org/display/JENKINS/Gerrit+Trigger#GerritTrigger-Version2.21.1
            Hide
            jladan James Ladan added a comment -

            I (foolishly) updated to Jenkins 1.651.2 and Gerrit Trigger 2.21.1 yesterday and the problem is not resolved for 1.651.2.

            [separate issue] On top of that, after downgrading Jenkins back to 1.651.1, the 'retrigger' option was gone from our Gerrit monitor jobs, meaning I couldn't retrigger the jobs that failed due to the parameter declaration problem. I had to downgrade the Gerrit Trigger plugin back to 2.20.0 to get the retrigger option back.

            Show
            jladan James Ladan added a comment - I (foolishly) updated to Jenkins 1.651.2 and Gerrit Trigger 2.21.1 yesterday and the problem is not resolved for 1.651.2. [separate issue] On top of that, after downgrading Jenkins back to 1.651.1, the 'retrigger' option was gone from our Gerrit monitor jobs, meaning I couldn't retrigger the jobs that failed due to the parameter declaration problem. I had to downgrade the Gerrit Trigger plugin back to 2.20.0 to get the retrigger option back.
            Hide
            glaurent_ullink Guillaume LAURENT added a comment -

            We are moving from a POC, and just figure out that our jobs using $GERRIT_PATCHSET_REVISION were not working anymore.

            Last Jenkins LTS 1.651.2 & last Gerrit Trigger plugin 2.21.1 too.

            Show
            glaurent_ullink Guillaume LAURENT added a comment - We are moving from a POC, and just figure out that our jobs using $GERRIT_PATCHSET_REVISION were not working anymore. Last Jenkins LTS 1.651.2 & last Gerrit Trigger plugin 2.21.1 too.
            Hide
            glaurent_ullink Guillaume LAURENT added a comment -

            Sounds corrected with last 1.651.3!

            Show
            glaurent_ullink Guillaume LAURENT added a comment - Sounds corrected with last 1.651.3!
            Hide
            rsandell rsandell added a comment -

            Gerrit Trigger 2.21.1 with Jenkins >= 1.651.3 or Jenkins >= 2.6

            Show
            rsandell rsandell added a comment - Gerrit Trigger 2.21.1 with Jenkins >= 1.651.3 or Jenkins >= 2.6

              People

              • Assignee:
                rsandell rsandell
                Reporter:
                pedersen Björn Pedersen
              • Votes:
                19 Vote for this issue
                Watchers:
                24 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: