Antoine Musso <[email protected]> writes: > Hello, > > Jenkins has released a security updated on Wednesday which causes it to > drop parameters passed to a job unless they are explicitly defined in > the job. The announce is at: > > https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 > > That affects Zuul/Nodepooletc > > Zuul pass a range of built-in parameters (eg: ZUUL_PROJECT) and can > inject user defined ones via the parameters functions. All of them ends > up being dropped and are no more known to the job. > > > A good news though is that the Gearman Jenkins plugin still recognizes > "OFFLINE_NODE_WHEN_COMPLETE" (which might itself be a bug/security > issue). So at least the slave is put offline. > > I have documented my test extensively on: > https://phabricator.wikimedia.org/T133737#2290669 > > > The easiest (and insecure) fix is to keep the old behaviour by passing > to Jenkins: > > -Dhudson.model.ParametersAction.keepUndefinedParameters=true > > > If one assumes the Gearman requests are safe, the plugin might be able > to dynamically whitelist them so they get passed to the job as env > variables. > > Alternatively, one would have to make sure the parameters coming from > Zuul are predefined in the job. It might be quite challenging to align > Zuul code, parameter functions and the JJB definitions.
Yes, we assume the parameters passed in via gearman are safe, as they are provided either by zuul directly, or indirectly by custom functions in zuul's configuration managed by the zuul system administrator. So this was a feature in Jenkins on which we relied. I think it makes the most sense for the gearman plugin to be updated to autowhitelist them if that is possible. Is someone interested in working on that? In the mean time, assuming that your system is entirely driven by Zuul+gearman and you do not have jobs that are triggered by other plugins where this behavior might not be desirable, I think the command line option you mentioned should be safe. -Jim _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
