[OpenStack-Infra] Jenkins 1.651.2 strips Zuul emitted parameters
Antoine Musso
hashar at free.fr
Thu May 12 21:07:23 UTC 2016
Hello,
Jenkins has released a security updated on Wednesday which causes it to
drop parameters passed to a job unless they are explicitly defined in
the job. The announce is at:
https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170
That affects Zuul/Nodepooletc
Zuul pass a range of built-in parameters (eg: ZUUL_PROJECT) and can
inject user defined ones via the parameters functions. All of them ends
up being dropped and are no more known to the job.
A good news though is that the Gearman Jenkins plugin still recognizes
"OFFLINE_NODE_WHEN_COMPLETE" (which might itself be a bug/security
issue). So at least the slave is put offline.
I have documented my test extensively on:
https://phabricator.wikimedia.org/T133737#2290669
The easiest (and insecure) fix is to keep the old behaviour by passing
to Jenkins:
-Dhudson.model.ParametersAction.keepUndefinedParameters=true
If one assumes the Gearman requests are safe, the plugin might be able
to dynamically whitelist them so they get passed to the job as env
variables.
Alternatively, one would have to make sure the parameters coming from
Zuul are predefined in the job. It might be quite challenging to align
Zuul code, parameter functions and the JJB definitions.
--
Antoine "hashar" Musso
More information about the OpenStack-Infra
mailing list