Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34870

Bitbucket Pull Request plugin affected by SECURITY-170

    Details

    • Similar Issues:

      Description

      I believe just like other PR builder plugins, this one is affected by the SECURITY-170 but is not on the page that tracks them: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170

      08:23:33 FATAL: Command "git rev-parse origin/${targetBranch}^{commit}" returned status code 128:
      08:23:33 stdout: origin/${targetBranch}^{commit}
      

      This used to work with Jenkins 2.2

        Attachments

          Activity

          Hide
          alexejk Alexej Kubarev added a comment - - edited

          Setting property to allow all unknown parameters did help to temporarily work around the issue.

          Show
          alexejk Alexej Kubarev added a comment - - edited Setting property to allow all unknown parameters did help to temporarily work around the issue.
          Hide
          raitis Raitis Dembovskis added a comment -

          Alexej Kubarev Where is this setting available?

          Show
          raitis Raitis Dembovskis added a comment - Alexej Kubarev Where is this setting available?
          Hide
          alexejk Alexej Kubarev added a comment -

          The setting is for jenkins globaly in the startup parameters, as per https://jenkins.io/blog/2016/05/11/security-update/
          What you are looking for is setting hudson.model.ParametersAction.keepUndefinedParameters for a workaround, but this of course is not good in the long-run until the plugin is updated

          Show
          alexejk Alexej Kubarev added a comment - The setting is for jenkins globaly in the startup parameters, as per https://jenkins.io/blog/2016/05/11/security-update/ What you are looking for is setting hudson.model.ParametersAction.keepUndefinedParameters for a workaround, but this of course is not good in the long-run until the plugin is updated
          Hide
          alexejk Alexej Kubarev added a comment -
          Show
          alexejk Alexej Kubarev added a comment - The fix PR seems to be available here: https://github.com/nishio-dens/bitbucket-pullrequest-builder-plugin/pull/88
          Hide
          raitis Raitis Dembovskis added a comment - - edited

          Hmm. My problem was that plugin didn't set $sourceBranch variable which i need to pass to downstream jobs. But $GIT_BRANCH is set if I check out the code. But I am using this job to only track PRs and trigger another job and pass branch name. Before that I didnt need to check out code because plugin would set the $sourceBranch.

          So my solution for now is to check out code and use $GIT_BRANCH.

          Show
          raitis Raitis Dembovskis added a comment - - edited Hmm. My problem was that plugin didn't set $sourceBranch variable which i need to pass to downstream jobs. But $GIT_BRANCH is set if I check out the code. But I am using this job to only track PRs and trigger another job and pass branch name. Before that I didnt need to check out code because plugin would set the $sourceBranch. So my solution for now is to check out code and use $GIT_BRANCH.
          Hide
          alexejk Alexej Kubarev added a comment -

          Actually, I am using $sourceBranch and a few other parameters. If you set keepUndefinedParameters to true as part of jenkins command-line parameters, it will work.
          As the SECURITY-170 disables "unknown" parameters per default, the $sourceBranch and a few other parameters were not registered by the plugin, and therefore were ignored (and parsed as plain text input).

          Show
          alexejk Alexej Kubarev added a comment - Actually, I am using $sourceBranch and a few other parameters. If you set keepUndefinedParameters to true as part of jenkins command-line parameters, it will work. As the SECURITY-170 disables "unknown" parameters per default, the $sourceBranch and a few other parameters were not registered by the plugin, and therefore were ignored (and parsed as plain text input).

            People

            • Assignee:
              Unassigned
              Reporter:
              alexejk Alexej Kubarev
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: