[JENKINS-34762] PR status cannot be updated due to filtered parameters

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: ghprb-plugin
Labels:
- security-170

Similar Issues:
Powered by SuggestiMate

Show

The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job:
https://jenkins.io/blog/2016/05/11/security-update/

Since GHPRB defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails.

For example, at the end of a PR build, the plugin tries to read the PR ID so that it can update it on GitHub — but because the ghprbPullId parameter gets filtered out, the plugin fails to determine the PR ID.

May 12, 2016 12:35:13 PM hudson.model.ParametersAction filter
WARNING: Skipped parameter `ghprbPullId ` as it is undefined on `pr-test-job`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
May 12, 2016 12:35:13 PM hudson.model.listeners.RunListener report
WARNING: RunListener failed
java.lang.NumberFormatException: null
        at java.lang.Integer.parseInt(Integer.java:542)
        at java.lang.Integer.parseInt(Integer.java:615)
        at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.createCommitStatus(GhprbSimpleStatus.java:220)
        at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.onBuildComplete(GhprbSimpleStatus.java:208)
        at org.jenkinsci.plugins.ghprb.GhprbBuilds.onCompleted(GhprbBuilds.java:192)
        at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:32)
        at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:17)
        at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:202)
        at hudson.model.Run.execute(Run.java:1783)
        at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
        at hudson.model.ResourceController.execute(ResourceController.java:98)
        at hudson.model.Executor.run(Executor.java:410)

Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.

is duplicated by

JENKINS-34811 Environment Variables not being created

Closed

is related to

JENKINS-34847 Missing parameters

Resolved

links to

Christopher Orr created issue - 2016-05-12 10:46

Nick Walke added a comment - 2016-05-12 15:54

Just ran into this. Thanks for finding the cause.

Nick Walke added a comment - 2016-05-12 15:54 Just ran into this. Thanks for finding the cause.

Nicholas Brown added a comment - 2016-05-12 21:04

I'd guess that https://github.com/jenkinsci/stash-pullrequest-builder-plugin may have the same problem as it appears define extra parameters in a similar way.

Nicholas Brown added a comment - 2016-05-12 21:04 I'd guess that https://github.com/jenkinsci/stash-pullrequest-builder-plugin may have the same problem as it appears define extra parameters in a similar way.

Christopher Orr added a comment - 2016-05-13 22:32

nickbrown: If you use that plugin, and you're seeing issues due to the fix for SECURITY-170, could you please file a new bug for that?

Also adding it to the wiki page of affected plugins would be helpful.

Christopher Orr added a comment - 2016-05-13 22:32 nickbrown : If you use that plugin, and you're seeing issues due to the fix for SECURITY-170, could you please file a new bug for that? Also adding it to the wiki page of affected plugins would be helpful.

Christopher Orr made changes - 2016-05-13 22:33

Labels

New: security-170

Christopher Orr made changes - 2016-05-13 22:46

Link

New: This issue is duplicated by ~~JENKINS-34811~~ [ ~~JENKINS-34811~~ ]

Nicholas Brown added a comment - 2016-05-15 09:57

https://github.com/nemccarthy/stash-pullrequest-builder-plugin/issues/84

Nicholas Brown added a comment - 2016-05-15 09:57 https://github.com/nemccarthy/stash-pullrequest-builder-plugin/issues/84

Nicholas Brown made changes - 2016-05-16 09:49

Link

New: This issue is related to ~~JENKINS-34847~~ [ ~~JENKINS-34847~~ ]

Margaret Leber added a comment - 2016-05-16 12:44

I've been able to do a quick circumvention this for our PRs by simply adding a sha1 parameter to the affected job.

Margaret Leber added a comment - 2016-05-16 12:44 I've been able to do a quick circumvention this for our PRs by simply adding a sha1 parameter to the affected job.

Antonio Muñiz made changes - 2016-05-17 12:58

Remote Link

New: This issue links to "PR (Web Link)" [ 14315 ]

Assignee:: Honza Brázdil

Reporter:: Christopher Orr

Votes:: 22 Vote for this issue

Watchers:: 31 Start watching this issue

Created:: 2016-05-12 10:46

Updated:: 2016-11-28 07:29

Resolved:: 2016-05-23 10:55

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Nick Walke added a comment - 2016-05-12 15:54

Expand comment: Nick Walke added a comment - 2016-05-12 15:54

Collapse comment: Nicholas Brown added a comment - 2016-05-12 21:04

Expand comment: Nicholas Brown added a comment - 2016-05-12 21:04

Collapse comment: Christopher Orr added a comment - 2016-05-13 22:32

Expand comment: Christopher Orr added a comment - 2016-05-13 22:32

Collapse comment: Nicholas Brown added a comment - 2016-05-15 09:57

Expand comment: Nicholas Brown added a comment - 2016-05-15 09:57

Collapse comment: Margaret Leber added a comment - 2016-05-16 12:44

Expand comment: Margaret Leber added a comment - 2016-05-16 12:44

People

Dates