Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34762

PR status cannot be updated due to filtered parameters

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job:
      https://jenkins.io/blog/2016/05/11/security-update/

      Since GHPRB defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails.

      For example, at the end of a PR build, the plugin tries to read the PR ID so that it can update it on GitHub — but because the ghprbPullId parameter gets filtered out, the plugin fails to determine the PR ID.

      May 12, 2016 12:35:13 PM hudson.model.ParametersAction filter
      WARNING: Skipped parameter `ghprbPullId ` as it is undefined on `pr-test-job`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      May 12, 2016 12:35:13 PM hudson.model.listeners.RunListener report
      WARNING: RunListener failed
      java.lang.NumberFormatException: null
              at java.lang.Integer.parseInt(Integer.java:542)
              at java.lang.Integer.parseInt(Integer.java:615)
              at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.createCommitStatus(GhprbSimpleStatus.java:220)
              at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.onBuildComplete(GhprbSimpleStatus.java:208)
              at org.jenkinsci.plugins.ghprb.GhprbBuilds.onCompleted(GhprbBuilds.java:192)
              at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:32)
              at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:17)
              at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:202)
              at hudson.model.Run.execute(Run.java:1783)
              at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
              at hudson.model.ResourceController.execute(ResourceController.java:98)
              at hudson.model.Executor.run(Executor.java:410)
      

      Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.

        Attachments

          Issue Links

            Activity

            Hide
            wosc Wolfgang Schnerring added a comment -

            Christopher Orr Sorry about my brevity, but unfortunately I really don't have much more to tell:

            • The job is a "normal" job, no matrix or anything
            • The job has a parameter named sha1 (as recommended by https://wiki.jenkins-ci.org/display/JENKINS/GitHub+pull+request+builder+plugin if one occasionally wants to build manually), with a default value of "fill-me-in"
            • From the console output I see that the sha1 Parameter is not filled in by v1.32.1 to the commit hash of the PR, but rather the default value is left in, which then causes the job execution to fail because it is not a
              valid git commit name
            • v1.29.4 however fills the parameter, and everything works just fine (if safeParameters is set accordingly)
            • I cannot find anything relevant in the jenkins log file

            How can I give you better diagnostic information?

            Show
            wosc Wolfgang Schnerring added a comment - Christopher Orr Sorry about my brevity, but unfortunately I really don't have much more to tell: The job is a "normal" job, no matrix or anything The job has a parameter named sha1 (as recommended by https://wiki.jenkins-ci.org/display/JENKINS/GitHub+pull+request+builder+plugin if one occasionally wants to build manually), with a default value of "fill-me-in" From the console output I see that the sha1 Parameter is not filled in by v1.32.1 to the commit hash of the PR, but rather the default value is left in, which then causes the job execution to fail because it is not a valid git commit name v1.29.4 however fills the parameter, and everything works just fine (if safeParameters is set accordingly) I cannot find anything relevant in the jenkins log file How can I give you better diagnostic information?
            Hide
            aheritier Arnaud Héritier added a comment -

            https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 is saying that this fix is removed in 1.32.2 ? thus the issue should be reopened ?

            Show
            aheritier Arnaud Héritier added a comment - https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 is saying that this fix is removed in 1.32.2 ? thus the issue should be reopened ?
            Hide
            orrc Christopher Orr added a comment -

            Yoann Dubreuil made that edit — maybe he can give some info as to why, since no details were added to the wiki.

            Both 1.32.1 and 1.32.2 have worked fine for me, and a couple of further releases have been made since then.

            Show
            orrc Christopher Orr added a comment - Yoann Dubreuil made that edit — maybe he can give some info as to why, since no details were added to the wiki. Both 1.32.1 and 1.32.2 have worked fine for me, and a couple of further releases have been made since then.
            Hide
            ydubreuil Yoann Dubreuil added a comment -

            Christopher Orr The fix was rolled back in 1.32.2 and re-introduced in 1.32.3. I updated the wiki page to reflect this.

            Show
            ydubreuil Yoann Dubreuil added a comment - Christopher Orr The fix was rolled back in 1.32.2 and re-introduced in 1.32.3. I updated the wiki page to reflect this.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Ben Patterson
            Path:
            src/main/java/org/jenkinsci/plugins/ghprb/GhprbAdditionalParameterEnvironmentContributor.java
            src/main/java/org/jenkinsci/plugins/ghprb/GhprbParametersAction.java
            src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java
            src/test/java/org/jenkinsci/plugins/ghprb/GhprbIT.java
            http://jenkins-ci.org/commit/ghprb-plugin/17ad7df21aa20f70a24d637871dca665865ddc1b
            Log:
            Merge pull request #439 from jenkinsci/JENKINS-34762-GHissue-352

            Fix for empty parameters in SECURITY-170 updates

            Compare: https://github.com/jenkinsci/ghprb-plugin/compare/2a26b52ec9e8...17ad7df21aa2

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ben Patterson Path: src/main/java/org/jenkinsci/plugins/ghprb/GhprbAdditionalParameterEnvironmentContributor.java src/main/java/org/jenkinsci/plugins/ghprb/GhprbParametersAction.java src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java src/test/java/org/jenkinsci/plugins/ghprb/GhprbIT.java http://jenkins-ci.org/commit/ghprb-plugin/17ad7df21aa20f70a24d637871dca665865ddc1b Log: Merge pull request #439 from jenkinsci/ JENKINS-34762 -GHissue-352 Fix for empty parameters in SECURITY-170 updates Compare: https://github.com/jenkinsci/ghprb-plugin/compare/2a26b52ec9e8...17ad7df21aa2

              People

              • Assignee:
                janinko Honza Brázdil
                Reporter:
                orrc Christopher Orr
              • Votes:
                22 Vote for this issue
                Watchers:
                31 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: