Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35257

Release plugin ignores release parameters in Jenkins 2.7

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core, release-plugin
    • None
    • Jenkins 1.651.2, Jenkins 2.7, Release Plugin 2.5.4

      Release builds ignore the given parameters, which leads to misconfigured builds. The HTML code for the forms responsible for reading these parameters seems to be suspicious, e.g., because the input name is non-uniquely set to "value". See screenshot attached.

        1. releasePareameters.png
          releasePareameters.png
          70 kB

          [JENKINS-35257] Release plugin ignores release parameters in Jenkins 2.7

          Florian Reinhard added a comment - - edited

          Hi!

          I did some tests, and it looks like a change from 1.651.1 to 1.651.2 broke the old stable releases. See below for details:
          1.645 ok
          1.648 ok
          1.650 ok
          1.651.1 ok
          1.651.2 not ok <--- broken
          1.658 ok
          2.5 not ok
          2.7 not ok

          Florian Reinhard added a comment - - edited Hi! I did some tests, and it looks like a change from 1.651.1 to 1.651.2 broke the old stable releases. See below for details: 1.645 ok 1.648 ok 1.650 ok 1.651.1 ok 1.651.2 not ok <--- broken 1.658 ok 2.5 not ok 2.7 not ok

          Florian Reinhard added a comment -

          See below what i can see in the jenkins log with 1.651.2 when doing a release build. These messages repeat quite often for a single build (Matrix build 2x3)

          {{
          Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter
          Skipped parameter `MY_TEST_VARIABLE_1` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

          Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter
          Skipped parameter `MY_TEST_VARIABLE_2` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

          Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter
          Skipped parameter `MY_TEST_VARIABLE_3` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
          }}

          Florian Reinhard added a comment - See below what i can see in the jenkins log with 1.651.2 when doing a release build. These messages repeat quite often for a single build (Matrix build 2x3) {{ Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter Skipped parameter `MY_TEST_VARIABLE_1` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters= [comma-separated list] ` to whitelist specific parameter names, even though it represents a security breach Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter Skipped parameter `MY_TEST_VARIABLE_2` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters= [comma-separated list] ` to whitelist specific parameter names, even though it represents a security breach Jun 09, 2016 8:45:07 AM WARNUNG hudson.model.ParametersAction filter Skipped parameter `MY_TEST_VARIABLE_3` as it is undefined on `MY_TEST_BUILD_CONFIG`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters= [comma-separated list] ` to whitelist specific parameter names, even though it represents a security breach }}

          Mike Henderson added a comment -

          I found a workaround that I used to deal with this issue.
          My project(s) that use the release plugin did not use any parameters, so I added the same string parameter label as a build parameter. This allowed the release plugin sting parameter to overwrite/update the build parameter and keep my workflow the same.
          I hope this helps others with the same issue.

          I am using Jenkins 2.8 with Release Plugin 2.5.4

          Mike Henderson added a comment - I found a workaround that I used to deal with this issue. My project(s) that use the release plugin did not use any parameters, so I added the same string parameter label as a build parameter. This allowed the release plugin sting parameter to overwrite/update the build parameter and keep my workflow the same. I hope this helps others with the same issue. I am using Jenkins 2.8 with Release Plugin 2.5.4

          Oleg Nenashev added a comment -

          Maybe it's a SECURITY-170 regression.
          If yes, it's a duplicate of JENKINS-34996

          Oleg Nenashev added a comment - Maybe it's a SECURITY-170 regression. If yes, it's a duplicate of JENKINS-34996

          Croesus Kall added a comment -

          Another workaround:
          start jenkins with the Java option:

          -Dhudson.model.ParametersAction.keepUndefinedParameters=true

          Croesus Kall added a comment - Another workaround: start jenkins with the Java option: -Dhudson.model.ParametersAction.keepUndefinedParameters= true

          Vadim Sacharow added a comment -

          Up! for this ticket.
          We have the same issue with all jobs, that make releases over the Jenkins Release Plugin

          Vadim Sacharow added a comment - Up! for this ticket. We have the same issue with all jobs, that make releases over the Jenkins Release Plugin

          Christian Effertz added a comment -

          We also have this issue. We upgraded today to LTS 2.7.1

          Christian Effertz added a comment - We also have this issue. We upgraded today to LTS 2.7.1

          Oleg Nenashev added a comment -

          https://github.com/jenkinsci/release-plugin/pull/17 is expected to fix it. CC amuniz. Related issue - JENKINS-34996
          Issue and workarounds are referenced here: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170

          Oleg Nenashev added a comment - https://github.com/jenkinsci/release-plugin/pull/17 is expected to fix it. CC amuniz . Related issue - JENKINS-34996 Issue and workarounds are referenced here: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170

          Antonio Muñiz added a comment -

          Yes, that PR fixes this, it just needs merge and release.

          Antonio Muñiz added a comment - Yes, that PR fixes this, it just needs merge and release.

          Rick Oosterholt added a comment -

          Released it in 2.6

          Rick Oosterholt added a comment - Released it in 2.6

            petehayes Peter Hayes
            lehrig Sebastian Lehrig
            Votes:
            12 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated:
              Resolved: