-
Bug
-
Resolution: Fixed
-
Critical
The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job:
https://jenkins.io/blog/2016/05/11/security-update/
Since GHPRB defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails.
For example, at the end of a PR build, the plugin tries to read the PR ID so that it can update it on GitHub — but because the ghprbPullId parameter gets filtered out, the plugin fails to determine the PR ID.
May 12, 2016 12:35:13 PM hudson.model.ParametersAction filter WARNING: Skipped parameter `ghprbPullId ` as it is undefined on `pr-test-job`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach May 12, 2016 12:35:13 PM hudson.model.listeners.RunListener report WARNING: RunListener failed java.lang.NumberFormatException: null at java.lang.Integer.parseInt(Integer.java:542) at java.lang.Integer.parseInt(Integer.java:615) at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.createCommitStatus(GhprbSimpleStatus.java:220) at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.onBuildComplete(GhprbSimpleStatus.java:208) at org.jenkinsci.plugins.ghprb.GhprbBuilds.onCompleted(GhprbBuilds.java:192) at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:32) at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:17) at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:202) at hudson.model.Run.execute(Run.java:1783) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)
Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.
- is duplicated by
-
JENKINS-34811 Environment Variables not being created
- Closed
- is related to
-
JENKINS-34847 Missing parameters
- Resolved
- links to