Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44127

Private key authenticated git checkout fails if '%' is in path to workspace

      Git-Branches with a Feature-Slash, e.g. US/story or hotfix/fix-fast cause the following error: 

       

      Obtained Jenkinsfile from 91c49cef39716aff75766ce6ed268d1d7d93bbff
      [Pipeline] node
      Running on HAL 9000 in /var/jenkins/workspace/routing/dev%2Fjenkins-integration
      [Pipeline] {
      [Pipeline] stage
      [Pipeline] { (Declarative: Checkout SCM)
      [Pipeline] checkout
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url ssh://git@code.logiball.de/loc/routing.git # timeout=10
      Fetching upstream changes from ssh://git@code.logiball.de/loc/routing.git
       > git --version # timeout=10
      using GIT_SSH to set credentials Test
       > git fetch --tags --progress ssh://git@code.logiball.de/loc/routing.git +refs/heads/*:refs/remotes/origin/*
      ERROR: Error fetching remote repo 'origin'
      hudson.plugins.git.GitException: Failed to fetch from ssh://git@code.logiball.de/loc/routing.git
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:809)
      	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1076)
      	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1107)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
      	at hudson.security.ACL.impersonate(ACL.java:260)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress ssh://git@code.logiball.de/loc/routing.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: percent_expand: unknown key %2
      fatal: Could not read from remote repository.
      
      Please make sure you have the correct access rights
      and the repository exists.
      
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1877)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1596)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:71)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:348)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:153)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:50)
      	at hudson.remoting.Request$2.run(Request.java:336)
      	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at ......remote call to HAL 9000(Native Method)
      	at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1545)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)
      	at hudson.remoting.Channel.call(Channel.java:830)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
      	at com.sun.proxy.$Proxy92.execute(Unknown Source)
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:807)
      	... 13 more

      Branches - not containing a slash in the name - work without problems. Hopefully this bug can be fixed soon.

      markewaite says a "%" character embedded in the temporary directory name will cause ssh authentication to fail. The root cause is that ssh has a concept of "percent expansion" (or tokens as they are called in the OpenBSD man page).

          [JENKINS-44127] Private key authenticated git checkout fails if '%' is in path to workspace

          Sven Friedrich added a comment - - edited

          I should mention that the problem is caused by -Djenkins.branch.WorkspaceLocatorImpl.PATH_MAX=0 in your jenkins.xml. We removed the setting and it works fine.

          Sven Friedrich added a comment - - edited I should mention that the problem is caused by -Djenkins.branch.WorkspaceLocatorImpl.PATH_MAX=0 in your jenkins.xml. We removed the setting and it works fine.

          Mark Waite added a comment -

          Thanks sweynson, that clarifies why I could see the problem on Windows, but not see it on Linux. I wasn't using that setting, so I assume the Windows machine used '%' in the path to the workspace, while the Linux machine did not.

          Mark Waite added a comment - Thanks sweynson , that clarifies why I could see the problem on Windows, but not see it on Linux. I wasn't using that setting, so I assume the Windows machine used '%' in the path to the workspace, while the Linux machine did not.

          Mark Waite added a comment -

          I've created a pull request which includes a fix for this. The pull request build is available for test now. Could you test it within the next few days and report results?

          I'd like to release either Saturday 20 May 2017 or Tuesday 23 May 2017.

          Mark Waite added a comment - I've created a pull request which includes a fix for this. The pull request build is available for test now. Could you test it within the next few days and report results? I'd like to release either Saturday 20 May 2017 or Tuesday 23 May 2017.

          I'm currently busy, as we have updated our jenkins now, but i will try to do so. 
           

          Sven Friedrich added a comment - I'm currently busy, as we have updated our jenkins now, but i will try to do so.   

          Jesse Glick added a comment -

          Right, if you disable WorkspaceLocatorImpl then you lose protection against funny names in branch characters.

          Jesse Glick added a comment - Right, if you disable WorkspaceLocatorImpl then you lose protection against funny names in branch characters.

          Code changed in jenkins
          User: Mark Waite
          Path:
          src/test/java/org/jenkinsci/plugins/gitclient/CredentialsTest.java
          http://jenkins-ci.org/commit/git-client-plugin/5c74414a6ef50488e9006d83f127a69b6a7b8da0
          Log:
          Test special characters in credentials workspace path

          JENKINS-44041 - Windows authenticated git checkout fails if '(' or ')' in path to workspace
          JENKINS-43931 - Windows authenticated git checkout fails if ' ' in path to workspace
          JENKINS-44127 - Authenticated git checkout fails if '%' in path to workspace (Windows & Linux)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/test/java/org/jenkinsci/plugins/gitclient/CredentialsTest.java http://jenkins-ci.org/commit/git-client-plugin/5c74414a6ef50488e9006d83f127a69b6a7b8da0 Log: Test special characters in credentials workspace path JENKINS-44041 - Windows authenticated git checkout fails if '(' or ')' in path to workspace JENKINS-43931 - Windows authenticated git checkout fails if ' ' in path to workspace JENKINS-44127 - Authenticated git checkout fails if '%' in path to workspace (Windows & Linux)

          Code changed in jenkins
          User: Mark Waite
          Path:
          src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
          http://jenkins-ci.org/commit/git-client-plugin/8a2ddf222f4463e2458e387121bf8d4c7840c37a
          Log:
          Fix special characters bugs in credentials workspace path

          JENKINS-44041 - Windows authenticated git checkout fails if '(' or ')' in path to workspace
          JENKINS-43931 - Windows authenticated git checkout fails if ' ' in path to workspace
          JENKINS-44127 - Authenticated git checkout fails if '%' in path to workspace (Windows & Linux)

          Also safeguards against use for "`" (grave) in a workspace path.
          Jenkins already guards against that, but the added safety check is low
          cost and passes the credentials tests.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java http://jenkins-ci.org/commit/git-client-plugin/8a2ddf222f4463e2458e387121bf8d4c7840c37a Log: Fix special characters bugs in credentials workspace path JENKINS-44041 - Windows authenticated git checkout fails if '(' or ')' in path to workspace JENKINS-43931 - Windows authenticated git checkout fails if ' ' in path to workspace JENKINS-44127 - Authenticated git checkout fails if '%' in path to workspace (Windows & Linux) Also safeguards against use for "`" (grave) in a workspace path. Jenkins already guards against that, but the added safety check is low cost and passes the credentials tests.

          Mark Waite added a comment -

          Fixed in git client plugin 2.4.6 released 24 May 2017

          Mark Waite added a comment - Fixed in git client plugin 2.4.6 released 24 May 2017

            markewaite Mark Waite
            sweynson Sven Friedrich
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: