[JIRA] [core] (JENKINS-34826) Promoted builds do not receive parameter values defined at the job level

2 views
Skip to first unread message

hiddenmaverick.3285@gmail.com (JIRA)

unread,
May 13, 2016, 7:03:02 PM5/13/16
to jenkinsc...@googlegroups.com
Hidden Maverick created an issue
 
Jenkins / Bug JENKINS-34826
Promoted builds do not receive parameter values defined at the job level
Issue Type: Bug Bug
Assignee: Oleg Nenashev
Components: core, promoted-builds-plugin
Created: 2016/May/13 11:02 PM
Environment: * Operating system: CentOS 7.2.1511 with latest updates applied using "yum update" as of 2016-05-13.
* Java runtime version: 1.7.0_101-mockbuild_2016_04_21_13_43-b00
* Jenkins version: 1.651.2
* Promoted Builds Plugin version: 2.26
Priority: Major Major
Reporter: Hidden Maverick

The security issue related to arbitrary build parameters (described in the link https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11) was addressed by Jenkins 1.651.2. Unfortunately, this security fix caused freestyle jobs containing build parameters to break if they include promoted builds that attempt to access the build parameters defined at the job level.

Downgrading to Jenkins 1.651.1 allowed the affected jobs to function again.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

o.v.nenashev@gmail.com (JIRA)

unread,
May 13, 2016, 7:09:01 PM5/13/16
to jenkinsc...@googlegroups.com
Oleg Nenashev updated an issue
Change By: Oleg Nenashev
Priority: Major Critical

o.v.nenashev@gmail.com (JIRA)

unread,
May 13, 2016, 7:12:01 PM5/13/16
to jenkinsc...@googlegroups.com
Oleg Nenashev commented on Bug JENKINS-34826
 
Re: Promoted builds do not receive parameter values defined at the job level

Workaround: create parameter definitions in the Manual approval dialog.
It is not a perfect solution

chris@orr.me.uk (JIRA)

unread,
May 15, 2016, 8:49:02 AM5/15/16
to jenkinsc...@googlegroups.com
Christopher Orr updated an issue
 
Change By: Christopher Orr
Labels: security-170

roman.pickl@fluidtime.com (JIRA)

unread,
May 17, 2016, 7:33:02 AM5/17/16
to jenkinsc...@googlegroups.com
Roman Pickl commented on Bug JENKINS-34826
 
Re: Promoted builds do not receive parameter values defined at the job level

workaround does not work for me:
when i define the parameter and click on promote i get:

javax.servlet.ServletException: java.lang.ClassCastException: net.sf.json.JSONNull cannot be cast to net.sf.json.JSONObject
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$11.dispatch(MetaClass.java:380)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$11.dispatch(MetaClass.java:380)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$11.dispatch(MetaClass.java:380)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:126)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:86)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ClassCastException: net.sf.json.JSONNull cannot be cast to net.sf.json.JSONObject
at hudson.plugins.promoted_builds.Status.doBuild(Status.java:401)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:320)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:163)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:124)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
... 76 more

o.v.nenashev@gmail.com (JIRA)

unread,
May 17, 2016, 7:49:01 AM5/17/16
to jenkinsc...@googlegroups.com
Oleg Nenashev started work on Bug JENKINS-34826
 
Change By: Oleg Nenashev
Status: Open In Progress

o.v.nenashev@gmail.com (JIRA)

unread,
May 17, 2016, 7:49:02 AM5/17/16
to jenkinsc...@googlegroups.com

I'm working on the fix in promoted-builds.
Maybe "-Dhudson.model.ParametersAction.safeParameters=" is the right workaround then

hiddenmaverick.3285@gmail.com (JIRA)

unread,
May 17, 2016, 11:55:02 AM5/17/16
to jenkinsc...@googlegroups.com

I'm using a workaround similar to the accepted answer here: http://stackoverflow.com/questions/31082154/parameterize-the-approver-detail-in-promoted-build-plugin-in-jenkins#31116631

This workaround uses the Copy Artifacts and EnvInject plugins to store the parameters at the job level and retrieve them at the promotion level. The job uses a native shell build task (Execute Windows Batch Command, Execute Shell, etc.) to store the parameters using the Java Properties format into a file in the workspace, with one parameter per line given in a name=value pair. A Copy Artifacts post-build task is then used to copy the parameter file to the job as an artifact.

The promotion will need an action to copy the artifact from the project, with $PROMOTED_JOB_NAME as the project name, $PROMOTED_NUMBER as the specific build number, and the filename of the parameter file as the artifact to copy. Finally, an Inject Environment Variables task (from the EnvInject plugin), with the filename of the parameter file specified, will make the parameters available as environment variables.

The workaround requires a few extra steps, but has been working robustly for me.

hiddenmaverick.3285@gmail.com (JIRA)

unread,
May 17, 2016, 11:56:02 AM5/17/16
to jenkinsc...@googlegroups.com
Hidden Maverick edited a comment on Bug JENKINS-34826
I'm using a workaround similar to the accepted answer here: http://stackoverflow.com/questions/31082154/parameterize-the-approver-detail-in-promoted-build-plugin-in-jenkins#31116631

This workaround uses the Copy Artifacts and EnvInject plugins to store the parameters at the job level and retrieve them at the promotion level.  The job uses a native shell build task (Execute Windows Batch Command, Execute Shell, etc.) to store the parameters using the Java Properties format into a file in the workspace, with one parameter per line given in a name=value pair.  A Copy Artifacts post-build task is then used to copy the parameter file to the job as an artifact.

The promotion will need an action to copy the artifact from the project, with $PROMOTED_JOB_NAME as the project name, $PROMOTED_NUMBER as the specific build number, and the filename of the parameter file as the artifact to copy.  Finally, an Inject Environment Variables task (from the EnvInject plugin), with the filename of the parameter file specified, will make the parameters available as environment variables.

The workaround requires a few extra steps, but has been working robustly for me  in both Jenkins 1 . 651.1 and Jenkins 1.651.2.

hiddenmaverick.3285@gmail.com (JIRA)

unread,
May 17, 2016, 12:01:03 PM5/17/16
to jenkinsc...@googlegroups.com
Hidden Maverick edited a comment on Bug JENKINS-34826
This workaround uses the Copy  Artifacts  Artifact  and EnvInject plugins to store the parameters at the job level and retrieve them at the promotion level.  The job uses a native shell build task (Execute Windows Batch Command, Execute Shell, etc.) to store the parameters using the Java Properties format into a file in the workspace, with one parameter per line given in a name=value pair.   A Copy   An Archive The  Artifacts post-build task  (from the Copy Artifact plugin)  is then used to copy the parameter file to the job as an artifact.


The promotion will need an action to copy the artifact from the project, with $PROMOTED_JOB_NAME as the project name, $PROMOTED_NUMBER as the specific build number, and the filename of the parameter file as the artifact to copy.  Finally, an Inject Environment Variables task (from the EnvInject plugin), with the filename of the parameter file specified, will make the parameters available as environment variables.

The workaround requires a few extra steps, but has been working robustly for me in both Jenkins 1.651.1 and Jenkins 1.651.2.

scm_issue_link@java.net (JIRA)

unread,
May 25, 2016, 5:44:02 AM5/25/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: Oleg Nenashev
Path:
src/main/java/hudson/plugins/promoted_builds/Promotion.java
src/main/java/hudson/plugins/promoted_builds/PromotionProcess.java
src/test/java/hudson/plugins/promoted_builds/conditions/ManualConditionTest.java
src/test/java/hudson/plugins/promoted_builds/conditions/SelfPromotionTest.java
http://jenkins-ci.org/commit/promoted-builds-plugin/57946a3cdd64952a9b5201b0548b31c3f9736779
Log:
JENKINS-34826 - Prevent failures when using parameters from the promoted build (#93)

  • JENKINS-34826 - Introduce PromotionParametersAction with relaxed security checks
  • [SECURITY-170] - Add test to ensure that ManualApproval parameters are filtered properly

o.v.nenashev@gmail.com (JIRA)

unread,
May 25, 2016, 7:18:02 AM5/25/16
to jenkinsc...@googlegroups.com
Oleg Nenashev resolved as Fixed
 

Released the fix in 2.27
Change By: Oleg Nenashev
Status: In Progress Resolved
Resolution: Fixed
Reply all
Reply to author
Forward
0 new messages