Page MenuHomePhabricator
Create Task
Maniphest T135506

Have Jenkins to strip build parameters that are not explicitly defined in jobs
Closed, DeclinedPublic
Actions

Description

Jenkins 1.651.2 introduced a security fix that strip parameters that are not explicitly defined in jobs. The Jenkins Gearman plugin requires that functionality to inject build parameters, thus we have disabled that security feature by passing to Jenkins: -Dhudson.model.ParametersAction.keepUndefinedParameters=true

We would need the Gearman plugin to autowhitelist parameters it injects as per James E. Blair (OpenStack) on http://lists.openstack.org/pipermail/openstack-infra/2016-May/004285.html

Yes, we assume the parameters passed in via gearman are safe, as they are provided either by zuul directly, or indirectly by custom functions in zuul's configuration managed by the zuul system administrator. So this was a feature in Jenkins on which we relied. I think it makes the most sense for the gearman plugin to be updated to autowhitelist them if that is possible. Is someone interested in working on that?

In the mean time, assuming that your system is entirely driven by Zuul+gearman and you do not have jobs that are triggered by other plugins where this behavior might not be desirable, I think the command line option you mentioned should be safe.

-Jim

Then upgrade the Gearman plugin and figure out other parameters we might need to whitelist.

Once done, we can revert a6770d165e46b55e3ca719a6fd4be71d64691af0

Full context in T133737

Related Objects

Event Timeline

hashar created this task.May 17 2016, 1:57 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 17 2016, 1:57 PM
hashar mentioned this in T133737: Upgrade Jenkins from 1.642.3 to 1.651.2.May 17 2016, 1:59 PM
hashar added a project: Upstream.May 17 2016, 2:19 PM

Filled upstream bug https://issues.jenkins-ci.org/browse/JENKINS-34885 Gearman plugin should whitelist build parameters it injects

hashar triaged this task as Medium priority.May 17 2016, 2:20 PM
hashar moved this task from Backlog to Reported upstream on the Jenkins board.
hashar moved this task from Backlog to Reported Upstream on the Upstream board.
hashar moved this task from Untriaged to Externally Blocked on the Continuous-Integration-Infrastructure board.
hashar closed this task as Declined.May 27 2021, 10:17 AM

Worked around by starting Jenkins with -Dhudson.model.ParametersAction.keepUndefinedParameters=true. I don't have any plan or even the knowledge to be able to fix it in the Gearman plugin hence declining the task since we have a workaround. I have left the Upstream task open though https://issues.jenkins.io/browse/JENKINS-34885 but it is unlikely to be ever fixed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL