[OpenStack-Infra] Jenkins 1.651.2 strips Zuul emitted parameters

James E. Blair corvus at inaugust.com
Thu May 12 22:02:11 UTC 2016


Antoine Musso <hashar at free.fr> writes:

> Hello,
>
> Jenkins has released a security updated on Wednesday which causes it to
> drop parameters passed to a job unless they are explicitly defined in
> the job.  The announce is at:
>
> https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170
>
> That affects Zuul/Nodepooletc
>
> Zuul pass a range of built-in parameters (eg: ZUUL_PROJECT) and can
> inject user defined ones via the parameters functions.  All of them ends
> up being dropped and are no more known to the job.
>
>
> A good news though is that the Gearman Jenkins plugin still recognizes
> "OFFLINE_NODE_WHEN_COMPLETE" (which might itself be a bug/security
> issue).  So at least the slave is put offline.
>
> I have documented my test extensively on:
>   https://phabricator.wikimedia.org/T133737#2290669
>
>
> The easiest (and insecure) fix is to keep the old behaviour by passing
> to Jenkins:
>
>   -Dhudson.model.ParametersAction.keepUndefinedParameters=true
>
>
> If one assumes the Gearman requests are safe, the plugin might be able
> to dynamically whitelist them so they get passed to the job as env
> variables.
>
> Alternatively, one would have to make sure the parameters coming from
> Zuul are predefined in the job.  It might be quite challenging to align
> Zuul code, parameter functions and the JJB definitions.

Yes, we assume the parameters passed in via gearman are safe, as they
are provided either by zuul directly, or indirectly by custom functions
in zuul's configuration managed by the zuul system administrator.  So
this was a feature in Jenkins on which we relied.  I think it makes the
most sense for the gearman plugin to be updated to autowhitelist them if
that is possible.  Is someone interested in working on that?

In the mean time, assuming that your system is entirely driven by
Zuul+gearman and you do not have jobs that are triggered by other
plugins where this behavior might not be desirable, I think the command
line option you mentioned should be safe.

-Jim



More information about the OpenStack-Infra mailing list