[JENKINS-34996] Sec-170-related: Release plugin needs to declare parameters

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: release-plugin
Labels:
- security-170
Environment:
1.651.2+ and Jenkins 2.3+

Similar Issues:
Powered by SuggestiMate

Show

Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Major impacts:

Undeclared vars are not present anymore

Release Plugin was listed on the page: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 and no issue was yet created for this.

is related to

JENKINS-35257 Release plugin ignores release parameters in Jenkins 2.7

Resolved

links to

Matthew Griffin added a comment - 2016-05-27 14:42

This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

Matthew Griffin added a comment - 2016-05-27 14:42 This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

Johnny Shields added a comment - 2016-05-27 14:58

I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

Johnny Shields added a comment - 2016-05-27 14:58 I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

Michael Templeton added a comment - 2016-05-27 15:01

Plugin is currently useless. Can't even do basic variable substitution in shell.

Michael Templeton added a comment - 2016-05-27 15:01 Plugin is currently useless. Can't even do basic variable substitution in shell.

Antonio Muñiz added a comment - 2016-06-02 14:12

Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17

Antonio Muñiz added a comment - 2016-06-02 14:12 Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17

SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Code changed in jenkins
User: Antonio Muñiz
Path:
pom.xml
src/main/java/hudson/plugins/release/ReleaseWrapper.java
src/main/java/hudson/plugins/release/SafeParametersAction.java
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
http://jenkins-ci.org/commit/release-plugin/98f1c2f8fbd10c5a2a029c466a00c94a48f3063f
Log:
~~JENKINS-34996~~ Acknoledge SECURITY-170

SCM/JIRA link daemon added a comment - 2016-09-28 12:39 Code changed in jenkins User: Antonio Muñiz Path: pom.xml src/main/java/hudson/plugins/release/ReleaseWrapper.java src/main/java/hudson/plugins/release/SafeParametersAction.java src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly src/test/java/hudson/plugins/release/TestReleasePluginParameters.java http://jenkins-ci.org/commit/release-plugin/98f1c2f8fbd10c5a2a029c466a00c94a48f3063f Log: JENKINS-34996 Acknoledge SECURITY-170

SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
src/main/java/hudson/plugins/release/ReleaseWrapper.java
src/main/java/hudson/plugins/release/SafeParametersAction.java
src/main/java/hudson/plugins/release/dashboard/RecentReleasesPortlet.java
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseBuildBadgeAction/badge.jelly
src/main/resources/hudson/plugins/release/ReleaseWrapper/config.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/config.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/main.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/portlet.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/Badge/index.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/config.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/index.jelly
src/main/resources/index.jelly
src/test/java/hudson/plugins/release/TestReleasePluginJob.java
src/test/java/hudson/plugins/release/TestReleasePluginMatrixJob.java
src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
http://jenkins-ci.org/commit/release-plugin/ab68ac9ce267e658ff1662253a3726a7d040a509
Log:
Merge pull request #17 from amuniz/~~JENKINS-34996~~

~~JENKINS-34996~~ Release parameters visibility

Compare: https://github.com/jenkinsci/release-plugin/compare/3a0e033135cb...ab68ac9ce267

SCM/JIRA link daemon added a comment - 2016-09-28 12:39 Code changed in jenkins User: Oleg Nenashev Path: pom.xml src/main/java/hudson/plugins/release/ReleaseWrapper.java src/main/java/hudson/plugins/release/SafeParametersAction.java src/main/java/hudson/plugins/release/dashboard/RecentReleasesPortlet.java src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseBuildBadgeAction/badge.jelly src/main/resources/hudson/plugins/release/ReleaseWrapper/config.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/config.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/main.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/portlet.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/Badge/index.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/config.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/index.jelly src/main/resources/index.jelly src/test/java/hudson/plugins/release/TestReleasePluginJob.java src/test/java/hudson/plugins/release/TestReleasePluginMatrixJob.java src/test/java/hudson/plugins/release/TestReleasePluginParameters.java http://jenkins-ci.org/commit/release-plugin/ab68ac9ce267e658ff1662253a3726a7d040a509 Log: Merge pull request #17 from amuniz/ JENKINS-34996 JENKINS-34996 Release parameters visibility Compare: https://github.com/jenkinsci/release-plugin/compare/3a0e033135cb...ab68ac9ce267

Oleg Nenashev added a comment - 2016-09-29 07:46

Released it in 2.6

Oleg Nenashev added a comment - 2016-09-29 07:46 Released it in 2.6

Assignee:: Antonio Muñiz

Reporter:: Justin Fiore

Votes:: 7 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 2016-05-20 17:59

Updated:: 2016-09-29 07:46

Resolved:: 2016-09-29 07:46

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Matthew Griffin added a comment - 2016-05-27 14:42

Expand comment: Matthew Griffin added a comment - 2016-05-27 14:42

Collapse comment: Johnny Shields added a comment - 2016-05-27 14:58

Expand comment: Johnny Shields added a comment - 2016-05-27 14:58

Collapse comment: Michael Templeton added a comment - 2016-05-27 15:01

Expand comment: Michael Templeton added a comment - 2016-05-27 15:01

Collapse comment: Antonio Muñiz added a comment - 2016-06-02 14:12

Expand comment: Antonio Muñiz added a comment - 2016-06-02 14:12

Collapse comment: SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Expand comment: SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Collapse comment: SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Expand comment: SCM/JIRA link daemon added a comment - 2016-09-28 12:39

Collapse comment: Oleg Nenashev added a comment - 2016-09-29 07:46

Expand comment: Oleg Nenashev added a comment - 2016-09-29 07:46

People

Dates