[JIRA] [gearman-plugin] (JENKINS-34885) Gearman plugin should whitelist build parameters it injects
Title: Message Title Antoine Musso commented on JENKINS-34885 Re: Gearman plugin should whitelist build parameters it injects Listed on the wiki page: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 Also added as known issue on the plugin page at https://wiki.jenkins-ci.org/display/JENKINS/Gearman+Plugin Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [gearman-plugin] (JENKINS-34885) Gearman plugin should whitelist build parameters it injects
Title: Message Title Antoine Musso updated an issue Jenkins / JENKINS-34885 Gearman plugin should whitelist build parameters it injects Change By: Antoine Musso Jenkins 1.651.2 now strips build parameters that are not explicitly defined by a job https://jenkins.io/blog/2016/05/11/security-update/ . The Gearman plugin should thus white list them dynamically so they do not got stripped.I have at least confirmed the special {{OFFLINE_NODE_WHEN_COMPLETE}} parameter is not impacted and the Gearman plugin properly set the slave offline even when Jenkins strips it out later on. Extensive details are available at https://phabricator.wikimedia.org/T133737#2290669A use case is Zuul triggering jobs passing its context as ZUUL_* build parameters which can then be reused as environment variables. Without them, it is pretty much useless unless one comes through the trouble of white listing all ZUUL parameters + whatever user parameters that might be injected.I have poked the OpenStack infrastructure list about it http://lists.openstack.org/pipermail/openstack-infra/2016-May/004284.html to which James E. Blair recommended on http://lists.openstack.org/pipermail/openstack-infra/2016-May/004285.html to:> In the mean time, assuming that your system is entirely driven by Zuul+gearman and you do not have jobs that are triggered by other plugins where this behavior might not be desirable, I think the command line option you mentioned should be safe.The workaround is to pass to for Jenkins 1.651.2 and later + is to pass the Java system parameter {{ -Dhudson.model.ParametersAction.keepUndefinedParameters=true }} . Which is not secure. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
[JIRA] [gearman-plugin] (JENKINS-34885) Gearman plugin should whitelist build parameters it injects
Title: Message Title Antoine Musso updated an issue Jenkins / JENKINS-34885 Gearman plugin should whitelist build parameters it injects Change By: Antoine Musso Jenkins 1.651.2 now strips build parameters that are not explicitly defined by a job https://jenkins.io/blog/2016/05/11/security-update/ . The Gearman plugin should thus white list them dynamically so they do not got stripped.I have at least confirmed the special {{ OFFLINE_NODE_WHEN_COMPLETE }} parameter is not impacted and the Gearman plugin properly set the slave offline even when Jenkins strips it out later on. Extensive details are available at https://phabricator.wikimedia.org/T133737#2290669A use case is Zuul triggering jobs passing its context as ZUUL_* build parameters which can then be reused as environment variables. Without them, it is pretty much useless unless one comes through the trouble of white listing all ZUUL parameters + whatever user parameters that might be injected.I have poked the OpenStack infrastructure list about it http://lists.openstack.org/pipermail/openstack-infra/2016-May/004284.html to which James E. Blair recommended on http://lists.openstack.org/pipermail/openstack-infra/2016-May/004285.html to:> In the mean time, assuming that your system is entirely driven by Zuul+gearman and you do not have jobs that are triggered by other plugins where this behavior might not be desirable, I think the command line option you mentioned should be safe.The workaround is to pass to Jenkins 1.651.2 and later the Java system parameter -Dhudson.model.ParametersAction.keepUndefinedParameters=true . Which is not secure. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
[JIRA] [gearman-plugin] (JENKINS-34885) Gearman plugin should whitelist build parameters it injects
Title: Message Title Antoine Musso created an issue Jenkins / JENKINS-34885 Gearman plugin should whitelist build parameters it injects Issue Type: Bug Assignee: Unassigned Components: gearman-plugin Created: 2016/May/17 2:19 PM Environment: Jenkins 1.651.2 Labels: security-170 Priority: Major Reporter: Antoine Musso Jenkins 1.651.2 now strips build parameters that are not explicitly defined by a job https://jenkins.io/blog/2016/05/11/security-update/ . The Gearman plugin should thus white list them dynamically so they do not got stripped. I have at least confirmed the special OFFLINE_NODE_WHEN_COMPLETE parameter is not impacted and the Gearman plugin properly set the slave offline even when Jenkins strips it out later on. Extensive details are available at https://phabricator.wikimedia.org/T133737#2290669 A use case is Zuul triggering jobs passing its context as ZUUL_* build parameters which can then be reused as