Jenkins builds of GitLab branches stopped working due to security patch

May 17, 2016 1 Comment

There have been some security patches to Jenkins recently, which have stopped some plugins from working – in our case, the Gitlab Merge Request Builder Plugin.

Parameters that used to get passed in as part of a trigger to build a branch stopped being passed through.

Errors in the Jenkins build console output looked like this – you can see that ${gitlabSourceBranch} is not being replaced properly with the branch name:

git config remote.refs/remotes/origin/${gitlabSourceBranch}.url git@git.dev53.co.uk:specialproject/specialrepo.git # timeout=10

And the log file had lots of entries like this:

May 17, 2016 9:25:33 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `gitlabSourceBranch` as it is undefined on `knowmalaria-merge`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

To get the branches building again, we had to update the parameters that the Jenkins server is started with.

In /etc/init.d/jenkins, set up a list of the parameters that the build will need :


# allow parameters to be passed in to gitlab builds
ALLOW_GITLAB_PARAMETERS="-Dhudson.model.ParametersAction.safeParameters=gitlabMergeRequestIid,gitlabSourceRepository,gitlabMergeRequestId,gitlabTargetBranch,gitlabSourceBranch,gitlabDescription,gitlabSourceName"

and pass those parameters to the process at startup:


# --user in daemon doesn't prepare environment variables like HOME, USER, LOGNAME or USERNAME,
# so we let su do so for us now
$SU -l $JENKINS_USER --shell=/bin/bash -c "$DAEMON $DAEMON_ARGS -- $JAVA $JAVA_ARGS $ALLOW_GITLAB_PARAMETERS -jar $JENKINS_WAR $JENKINS_ARGS" || return 2

Then restart your Jenkins server:

sudo service jenkins restart

You may have a different list of parameters that need to be passed to the build – check the ‘parameters’ page for one of your previous builds.

See more description of the original security flaw here:

http://www.infoworld.com/article/3070093/security/jenkins-security-patches-could-break-plug-ins.html
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

1 thought on “Jenkins builds of GitLab branches stopped working due to security patch”

  1. Hi, I’ve installed Jenkins ver. 2.16 and I am trying your solution for this problem. I added the first part with the ALLOW_GITLAB_PARAMETERS to the “/etc/init.d/jenkins” file, but where does the second part go? I did this in the “etc/init.d/jenkins” file:
    ————————————————————-
    PARAMS=”$PARAMS $ALLOW_GITLAB_PARAMETERS”
    ————————————————————-

    After restart, jenkins is still saying:
    ————————————————————-
    git rev-parse refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
    > git rev-parse refs/remotes/origin/refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
    > git rev-parse refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
    ERROR: Couldn’t find any revision to build. Verify the repository and branch configuration for this job.
    ————————————————————-

    Do you have any idea, what I am doing wrong?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.