Jenkins builds of GitLab branches stopped working due to security patch

There have been some security patches to Jenkins recently, which have stopped some plugins from working - in our case, the Gitlab Merge Request Builder Plugin.

Parameters that used to get passed in as part of a trigger to build a branch stopped being passed through.

Errors in the Jenkins build console output looked like this - you can see that ${gitlabSourceBranch} is not being replaced properly with the branch name:

git config remote.refs/remotes/origin/${gitlabSourceBranch}.url git@git.dev53.co.uk:specialproject/specialrepo.git # timeout=10

And the log file had lots of entries like this:

May 17, 2016 9:25:33 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `gitlabSourceBranch` as it is undefined on `knowmalaria-merge`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

To get the branches building again, we had to update the parameters that the Jenkins server is started with.

In /etc/init.d/jenkins, set up a list of the parameters that the build will need :


# allow parameters to be passed in to gitlab builds
ALLOW_GITLAB_PARAMETERS="-Dhudson.model.ParametersAction.safeParameters=gitlabMergeRequestIid,gitlabSourceRepository,gitlabMergeRequestId,gitlabTargetBranch,gitlabSourceBranch,gitlabDescription,gitlabSourceName"


and pass those parameters to the process at startup:


# --user in daemon doesn't prepare environment variables like HOME, USER, LOGNAME or USERNAME,
# so we let su do so for us now
$SU -l $JENKINS_USER --shell=/bin/bash -c "$DAEMON $DAEMON_ARGS -- $JAVA $JAVA_ARGS $ALLOW_GITLAB_PARAMETERS -jar $JENKINS_WAR $JENKINS_ARGS" || return 2


Then restart your Jenkins server:

sudo service jenkins restart

You may have a different list of parameters that need to be passed to the build - check the 'parameters' page for one of your previous builds.

See more description of the original security flaw here:

http://www.infoworld.com/article/3070093/security/jenkins-security-patches-could-break-plug-ins.html
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11