Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34753

Sec-170-releated: gerrit-trigger needs to declare parameters

      Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
      See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

      Major impacts:

      • Undeclared vars are not present anymore
      • log flooding with (list really contains all gerrit trigger vars):

      A workaround is possible by setting system properties.

      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_EVENT_TYPE` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_EVENT_HASH` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_TOPIC` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter
      
      Skipped parameter `GERRIT_CHANGE_NUMBER` as it is undefined on `ds-server test`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
      
      

      May 12, 2016 9:53:01 AM WARNING hudson.model.ParametersAction filter

          [JENKINS-34753] Sec-170-releated: gerrit-trigger needs to declare parameters

          Code changed in jenkins
          User: Robert Sandell
          Path:
          pom.xml
          http://jenkins-ci.org/commit/gerrit-trigger-plugin/b1c6b5242b94c802960a339a957e425b185ad7bd
          Log:
          Merge remote-tracking branch 'origin/master' into JENKINS-34753

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Robert Sandell Path: pom.xml http://jenkins-ci.org/commit/gerrit-trigger-plugin/b1c6b5242b94c802960a339a957e425b185ad7bd Log: Merge remote-tracking branch 'origin/master' into JENKINS-34753

          Code changed in jenkins
          User: Robert Sandell
          Path:
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpander.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/EventListener.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerParameters.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderParameterizedTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderSkipVoteParameterTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/TriggerContextConverterTest.java
          http://jenkins-ci.org/commit/gerrit-trigger-plugin/3116820af823b0a2ee3613b03a5d0d2ca591e754
          Log:
          JENKINS-34753 Provide safe parameters to ParametersAction

          And fixed some checkstyle errors in the tests

          Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/c40227e06445...3116820af823

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Robert Sandell Path: src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpander.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/EventListener.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerParameters.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderParameterizedTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderSkipVoteParameterTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/TriggerContextConverterTest.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/3116820af823b0a2ee3613b03a5d0d2ca591e754 Log: JENKINS-34753 Provide safe parameters to ParametersAction And fixed some checkstyle errors in the tests Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/c40227e06445...3116820af823

          ryan h added a comment -

          Any idea when this fix will be available via plugin update?

          ryan h added a comment - Any idea when this fix will be available via plugin update?

          Code changed in jenkins
          User: Robert Sandell
          Path:
          pom.xml
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpander.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/EventListener.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritCause.java
          src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerParameters.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderParameterizedTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderSkipVoteParameterTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritProjectListTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerTest.java
          src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/TriggerContextConverterTest.java
          http://jenkins-ci.org/commit/gerrit-trigger-plugin/8b4652554b63ec92768c4b8ad840cae0522d4c7d
          Log:
          Merge pull request #285 from jenkinsci/JENKINS-34753

          JENKINS-34753 Provide safe parameters to ParametersAction

          Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/644d75d4f7a5...8b4652554b63

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Robert Sandell Path: pom.xml src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpander.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/EventListener.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritCause.java src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerParameters.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderParameterizedTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderSkipVoteParameterTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/gerritnotifier/ParameterExpanderTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritProjectListTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/GerritTriggerTest.java src/test/java/com/sonyericsson/hudson/plugins/gerrit/trigger/hudsontrigger/data/TriggerContextConverterTest.java http://jenkins-ci.org/commit/gerrit-trigger-plugin/8b4652554b63ec92768c4b8ad840cae0522d4c7d Log: Merge pull request #285 from jenkinsci/ JENKINS-34753 JENKINS-34753 Provide safe parameters to ParametersAction Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/644d75d4f7a5...8b4652554b63

          Björn Pedersen added a comment - Fix is released, so I think this can be closed. https://wiki.jenkins-ci.org/display/JENKINS/Gerrit+Trigger#GerritTrigger-Version2.21.1

          James Ladan added a comment -

          I (foolishly) updated to Jenkins 1.651.2 and Gerrit Trigger 2.21.1 yesterday and the problem is not resolved for 1.651.2.

          [separate issue] On top of that, after downgrading Jenkins back to 1.651.1, the 'retrigger' option was gone from our Gerrit monitor jobs, meaning I couldn't retrigger the jobs that failed due to the parameter declaration problem. I had to downgrade the Gerrit Trigger plugin back to 2.20.0 to get the retrigger option back.

          James Ladan added a comment - I (foolishly) updated to Jenkins 1.651.2 and Gerrit Trigger 2.21.1 yesterday and the problem is not resolved for 1.651.2. [separate issue] On top of that, after downgrading Jenkins back to 1.651.1, the 'retrigger' option was gone from our Gerrit monitor jobs, meaning I couldn't retrigger the jobs that failed due to the parameter declaration problem. I had to downgrade the Gerrit Trigger plugin back to 2.20.0 to get the retrigger option back.

          We are moving from a POC, and just figure out that our jobs using $GERRIT_PATCHSET_REVISION were not working anymore.

          Last Jenkins LTS 1.651.2 & last Gerrit Trigger plugin 2.21.1 too.

          Guillaume LAURENT added a comment - We are moving from a POC, and just figure out that our jobs using $GERRIT_PATCHSET_REVISION were not working anymore. Last Jenkins LTS 1.651.2 & last Gerrit Trigger plugin 2.21.1 too.

          Sounds corrected with last 1.651.3!

          Guillaume LAURENT added a comment - Sounds corrected with last 1.651.3!

          rsandell added a comment -

          Gerrit Trigger 2.21.1 with Jenkins >= 1.651.3 or Jenkins >= 2.6

          rsandell added a comment - Gerrit Trigger 2.21.1 with Jenkins >= 1.651.3 or Jenkins >= 2.6

            rsandell rsandell
            pedersen Björn Pedersen
            Votes:
            19 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: