Details

    • Similar Issues:

      Description

      The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job: https://jenkins.io/blog/2016/05/11/security-update/

      Since Stash Pullrequest builder defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails. See an example resulting failure at https://github.com/nemccarthy/stash-pullrequest-builder-plugin/issues/84

      Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.

      This similar to issue seen in GHPRB plugin.

        Attachments

          Issue Links

            Activity

            Hide
            danielbarcay Daniel Barcay added a comment -

            This bug caught my team when attempting an upgrade to Jenkins. I had to rollback. Definitely a blocker bug, and needs to be addressed ASAP, since I can't find a workaround.

            Show
            danielbarcay Daniel Barcay added a comment - This bug caught my team when attempting an upgrade to Jenkins. I had to rollback. Definitely a blocker bug, and needs to be addressed ASAP, since I can't find a workaround.
            Hide
            slowjack2k Dieter S added a comment -

            Daniel Barcay The workaround is described within the linkes blogpost. You choose between the java opt

            -Dhudson.model.ParametersAction.keepUndefinedParameters=true

            and

            -Dhudson.model.ParametersAction.safeParameters=pullRequestId,pullRequestTitle,sourceBranch,targetBranch,sourceRepositoryOwner,
            sourceRepositoryName,destinationRepositoryOwner,destinationRepositoryName,
            sourceCommitHash,destinationCommitHash

            But the blog post states also that this workaround will only work for a certain amount of time.

            Show
            slowjack2k Dieter S added a comment - Daniel Barcay The workaround is described within the linkes blogpost. You choose between the java opt -Dhudson.model.ParametersAction.keepUndefinedParameters=true and -Dhudson.model.ParametersAction.safeParameters=pullRequestId,pullRequestTitle,sourceBranch,targetBranch,sourceRepositoryOwner, sourceRepositoryName,destinationRepositoryOwner,destinationRepositoryName, sourceCommitHash,destinationCommitHash But the blog post states also that this workaround will only work for a certain amount of time.
            Hide
            danielbarcay Daniel Barcay added a comment -

            Thanks Dieter... I'll give this a shot.

            Show
            danielbarcay Daniel Barcay added a comment - Thanks Dieter... I'll give this a shot.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Nathan
            Path:
            src/main/java/stashpullrequestbuilder/stashpullrequestbuilder/StashAditionalParameterEnvironmentContributor.java
            src/main/java/stashpullrequestbuilder/stashpullrequestbuilder/StashBuildTrigger.java
            http://jenkins-ci.org/commit/stash-pullrequest-builder-plugin/059d562ead697f75c5c8ac90f4d0857531fd4802
            Log:
            Merge pull request #19 from mrooney/master

            expose missing environment variables for JENKINS-34847

            Compare: https://github.com/jenkinsci/stash-pullrequest-builder-plugin/compare/20d36fb5e6ab...059d562ead69

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nathan Path: src/main/java/stashpullrequestbuilder/stashpullrequestbuilder/StashAditionalParameterEnvironmentContributor.java src/main/java/stashpullrequestbuilder/stashpullrequestbuilder/StashBuildTrigger.java http://jenkins-ci.org/commit/stash-pullrequest-builder-plugin/059d562ead697f75c5c8ac90f4d0857531fd4802 Log: Merge pull request #19 from mrooney/master expose missing environment variables for JENKINS-34847 Compare: https://github.com/jenkinsci/stash-pullrequest-builder-plugin/compare/20d36fb5e6ab...059d562ead69
            Show
            nickbrown Nicholas Brown added a comment - Fixed in https://github.com/nemccarthy/stash-pullrequest-builder-plugin/pull/89

              People

              • Assignee:
                nemccarthy nathan m
                Reporter:
                nickbrown Nicholas Brown
              • Votes:
                8 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: