[JIRA] [ghprb-plugin] (JENKINS-34762) PR status cannot be updated due to filtered parameters

43 views
Skip to first unread message

chris@orr.me.uk (JIRA)

unread,
May 12, 2016, 6:47:03 AM5/12/16
to jenkinsc...@googlegroups.com
Christopher Orr created an issue
 
Jenkins / Bug JENKINS-34762
PR status cannot be updated due to filtered parameters
Issue Type: Bug Bug
Assignee: Honza Brázdil
Components: ghprb-plugin
Created: 2016/May/12 10:46 AM
Priority: Critical Critical
Reporter: Christopher Orr

The fix for SECURITY-170 as described in this blog post means that Jenkins core filters out any parameters used that were not defined in the job:
https://jenkins.io/blog/2016/05/11/security-update/

Since GHPRB defines lots of parameters at runtime, and then later tries to access them, a bunch of functionality in the plugin fails.

For example, at the end of a PR build, the plugin tries to read the PR ID so that it can update it on GitHub — but because the ghprbPullId parameter gets filtered out, the plugin fails to determine the PR ID.

May 12, 2016 12:35:13 PM hudson.model.ParametersAction filter
WARNING: Skipped parameter `ghprbPullId ` as it is undefined on `pr-test-job`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
May 12, 2016 12:35:13 PM hudson.model.listeners.RunListener report
WARNING: RunListener failed
java.lang.NumberFormatException: null
        at java.lang.Integer.parseInt(Integer.java:542)
        at java.lang.Integer.parseInt(Integer.java:615)
        at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.createCommitStatus(GhprbSimpleStatus.java:220)
        at org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus.onBuildComplete(GhprbSimpleStatus.java:208)
        at org.jenkinsci.plugins.ghprb.GhprbBuilds.onCompleted(GhprbBuilds.java:192)
        at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:32)
        at org.jenkinsci.plugins.ghprb.GhprbBuildListener.onCompleted(GhprbBuildListener.java:17)
        at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:202)
        at hudson.model.Run.execute(Run.java:1783)
        at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
        at hudson.model.ResourceController.execute(ResourceController.java:98)
        at hudson.model.Executor.run(Executor.java:410)

Presumably this plugin should define its own Action class to store this information, rather than relying on these parameters to be exported into the environment during a build.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

tubaguy50035@gmail.com (JIRA)

unread,
May 12, 2016, 11:55:01 AM5/12/16
to jenkinsc...@googlegroups.com
Nick Walke commented on Bug JENKINS-34762
 
Re: PR status cannot be updated due to filtered parameters

Just ran into this. Thanks for finding the cause.

nickbroon@gmail.com (JIRA)

unread,
May 12, 2016, 5:05:03 PM5/12/16
to jenkinsc...@googlegroups.com

I'd guess that https://github.com/jenkinsci/stash-pullrequest-builder-plugin may have the same problem as it appears define extra parameters in a similar way.

chris@orr.me.uk (JIRA)

unread,
May 13, 2016, 6:33:02 PM5/13/16
to jenkinsc...@googlegroups.com

Nicholas Brown: If you use that plugin, and you're seeing issues due to the fix for SECURITY-170, could you please file a new bug for that?

Also adding it to the wiki page of affected plugins would be helpful.

chris@orr.me.uk (JIRA)

unread,
May 13, 2016, 6:34:03 PM5/13/16
to jenkinsc...@googlegroups.com
Christopher Orr updated an issue
 
Change By: Christopher Orr
Labels: security-170

nickbroon@gmail.com (JIRA)

unread,
May 15, 2016, 5:58:02 AM5/15/16
to jenkinsc...@googlegroups.com

maggie@matrisync.com (JIRA)

unread,
May 16, 2016, 8:45:02 AM5/16/16
to jenkinsc...@googlegroups.com

I've been able to do a quick circumvention this for our PRs by simply adding a sha1 parameter to the affected job.

chris@orr.me.uk (JIRA)

unread,
May 18, 2016, 12:32:04 PM5/18/16
to jenkinsc...@googlegroups.com

There is a PR in progress to fix this (not from me): https://github.com/jenkinsci/ghprb-plugin/pull/336

chris@orr.me.uk (JIRA)

unread,
May 18, 2016, 12:32:06 PM5/18/16
to jenkinsc...@googlegroups.com
Christopher Orr started work on Bug JENKINS-34762
 
Change By: Christopher Orr
Status: Open In Progress

zentavr@trafford.com.ua (JIRA)

unread,
May 18, 2016, 10:43:02 PM5/18/16
to jenkinsc...@googlegroups.com

This article describes the idea how to bypass the problem.

My list of the vars was:

ghprbActualCommit,ghprbActualCommitAuthor,ghprbActualCommitAuthorEmail,ghprbAuthorRepoGitUrl,ghprbCommentBody,ghprbCredentialsId,ghprbGhRepository,ghprbPullAuthorEmail,ghprbPullAuthorLogin,ghprbPullAuthorLoginMention,ghprbPullDescription,ghprbPullId,ghprbPullLink,ghprbPullLongDescription,ghprbPullTitle,ghprbSourceBranch,ghprbTargetBranch,ghprbTriggerAuthor,ghprbTriggerAuthorEmail,ghprbTriggerAuthorLogin,ghprbTriggerAuthorLoginMention

zentavr@trafford.com.ua (JIRA)

unread,
May 18, 2016, 10:55:01 PM5/18/16
to jenkinsc...@googlegroups.com

Ok, seems like the advice provided in the article does not work for my Jenkins 2.5. I see the same:

May 19, 2016 2:51:13 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `ghprbGhRepository` as it is undefined on `Arena-platform-pull-request-checker`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

in my log even when specified -Dhudson.model.ParametersAction.keepUndefinedParameters=true

Jenkins was spawned with:

/usr/bin/java -XX:PermSize=256m -XX:MaxPermSize=256m -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8081 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=-1 --ajp13Port=-1 --httpsPort=8083 --httpsCertificate=/data/jenkins/ssl_certs/cashdev_gsngames_com.crt --httpsPrivateKey=/data/jenkins/ssl_certs/cashdev_gsngames_com.key -Dhudson.model.ParametersAction.keepUndefinedParameters=true

zentavr@trafford.com.ua (JIRA)

unread,
May 18, 2016, 10:56:02 PM5/18/16
to jenkinsc...@googlegroups.com
Ok, seems like the advice provided in the article does not work for my Jenkins 2.5. I see the same:
{code}

May 19, 2016 2:51:13 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `ghprbGhRepository` as it is undefined on `Arena-platform-pull-request-checker`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
{code}

in my log even when specified {{-Dhudson.model.ParametersAction.keepUndefinedParameters=true}}

Jenkins was spawned with:
{code}
/usr/bin/java -XX:PermSize=256m -XX:MaxPermSize=256m -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8081 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=-1 --ajp13Port=-1 --httpsPort=8083 --httpsCertificate=/data/jenkins/ssl_certs/ cashdev_gsngames_com dev_com .crt --httpsPrivateKey=/data/jenkins/ssl_certs/ cashdev_gsngames_com dev_com .key -Dhudson.model.ParametersAction.keepUndefinedParameters=true
{code}

zentavr@trafford.com.ua (JIRA)

unread,
May 18, 2016, 11:13:01 PM5/18/16
to jenkinsc...@googlegroups.com

...changed the command - moved the parameter before -jar happens:

/usr/bin/java -XX:PermSize=256m -XX:MaxPermSize=256m -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8081 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dhudson.model.ParametersAction.keepUndefinedParameters=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=-1 --ajp13Port=-1 --httpsPort=8083 --httpsCertificate=/data/jenkins/ssl_certs/dev_com.crt --httpsPrivateKey=/data/jenkins/ssl_certs/dev_com.key

wosc+jenkins@wosc.de (JIRA)

unread,
May 24, 2016, 7:41:07 AM5/24/16
to jenkinsc...@googlegroups.com

The -Dhudson.model.ParametersAction.safeParameters workaround works for me, however the new plugin version 1.32.1 does not work for me, it does not substitute the sha1-parameter in the job.

chris@orr.me.uk (JIRA)

unread,
May 24, 2016, 7:44:02 AM5/24/16
to jenkinsc...@googlegroups.com

Wolfgang Schnerring: Are you able to provide any details other than it "does not work"?

What do you see in the logs? Does this happen for all ghprb parameters? What type of job are you using? If it's a matrix job, then that's also broken and doesn't provide parameters at the moment:
https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170

wosc+jenkins@wosc.de (JIRA)

unread,
May 24, 2016, 9:02:04 AM5/24/16
to jenkinsc...@googlegroups.com

Christopher Orr Sorry about my brevity, but unfortunately I really don't have much more to tell:

  • The job is a "normal" job, no matrix or anything
  • The job has a parameter named sha1 (as recommended by https://wiki.jenkins-ci.org/display/JENKINS/GitHub+pull+request+builder+plugin if one occasionally wants to build manually), with a default value of "fill-me-in"
  • From the console output I see that the sha1 Parameter is not filled in by v1.32.1 to the commit hash of the PR, but rather the default value is left in, which then causes the job execution to fail because it is not a
    valid git commit name
  • v1.29.4 however fills the parameter, and everything works just fine (if safeParameters is set accordingly)
  • I cannot find anything relevant in the jenkins log file

How can I give you better diagnostic information?

chris@orr.me.uk (JIRA)

unread,
May 25, 2016, 2:18:58 PM5/25/16
to jenkinsc...@googlegroups.com
Christopher Orr closed an issue as Fixed
 

Fixed in 1.32.1 of the plugin.
Change By: Christopher Orr
Status: In Progress Closed
Resolution: Fixed

aheritier@apache.org (JIRA)

unread,
Jun 9, 2016, 2:15:02 PM6/9/16
to jenkinsc...@googlegroups.com

chris@orr.me.uk (JIRA)

unread,
Jun 11, 2016, 1:33:02 PM6/11/16
to jenkinsc...@googlegroups.com

Yoann Dubreuil made that edit — maybe he can give some info as to why, since no details were added to the wiki.

Both 1.32.1 and 1.32.2 have worked fine for me, and a couple of further releases have been made since then.

yoann.dubreuil@gmail.com (JIRA)

unread,
Jun 13, 2016, 5:52:01 PM6/13/16
to jenkinsc...@googlegroups.com

Christopher Orr The fix was rolled back in 1.32.2 and re-introduced in 1.32.3. I updated the wiki page to reflect this.

scm_issue_link@java.net (JIRA)

unread,
Nov 28, 2016, 2:30:03 AM11/28/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: Ben Patterson
Path:
src/main/java/org/jenkinsci/plugins/ghprb/GhprbAdditionalParameterEnvironmentContributor.java
src/main/java/org/jenkinsci/plugins/ghprb/GhprbParametersAction.java
src/main/java/org/jenkinsci/plugins/ghprb/GhprbTrigger.java
src/test/java/org/jenkinsci/plugins/ghprb/GhprbIT.java
http://jenkins-ci.org/commit/ghprb-plugin/17ad7df21aa20f70a24d637871dca665865ddc1b
Log:
Merge pull request #439 from jenkinsci/JENKINS-34762-GHissue-352

Fix for empty parameters in SECURITY-170 updates

Compare: https://github.com/jenkinsci/ghprb-plugin/compare/2a26b52ec9e8...17ad7df21aa2
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages