There have been some security patches to Jenkins recently, which have stopped some plugins from working – in our case, the Gitlab Merge Request Builder Plugin.
Parameters that used to get passed in as part of a trigger to build a branch stopped being passed through.
Errors in the Jenkins build console output looked like this – you can see that ${gitlabSourceBranch} is not being replaced properly with the branch name:
git config remote.refs/remotes/origin/${gitlabSourceBranch}.url git@git.dev53.co.uk:specialproject/specialrepo.git # timeout=10
And the log file had lots of entries like this:
May 17, 2016 9:25:33 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `gitlabSourceBranch` as it is undefined on `knowmalaria-merge`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
To get the branches building again, we had to update the parameters that the Jenkins server is started with.
In /etc/init.d/jenkins, set up a list of the parameters that the build will need :
# allow parameters to be passed in to gitlab builds
ALLOW_GITLAB_PARAMETERS="-Dhudson.model.ParametersAction.safeParameters=gitlabMergeRequestIid,gitlabSourceRepository,gitlabMergeRequestId,gitlabTargetBranch,gitlabSourceBranch,gitlabDescription,gitlabSourceName"
and pass those parameters to the process at startup:
# --user in daemon doesn't prepare environment variables like HOME, USER, LOGNAME or USERNAME,
# so we let su do so for us now
$SU -l $JENKINS_USER --shell=/bin/bash -c "$DAEMON $DAEMON_ARGS -- $JAVA $JAVA_ARGS $ALLOW_GITLAB_PARAMETERS -jar $JENKINS_WAR $JENKINS_ARGS" || return 2
Then restart your Jenkins server:
sudo service jenkins restart
You may have a different list of parameters that need to be passed to the build – check the ‘parameters’ page for one of your previous builds.
See more description of the original security flaw here:
http://www.infoworld.com/article/3070093/security/jenkins-security-patches-could-break-plug-ins.html
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
Hi, I’ve installed Jenkins ver. 2.16 and I am trying your solution for this problem. I added the first part with the ALLOW_GITLAB_PARAMETERS to the “/etc/init.d/jenkins” file, but where does the second part go? I did this in the “etc/init.d/jenkins” file:
————————————————————-
PARAMS=”$PARAMS $ALLOW_GITLAB_PARAMETERS”
————————————————————-
After restart, jenkins is still saying:
————————————————————-
git rev-parse refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
> git rev-parse refs/remotes/origin/refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
> git rev-parse refs/remotes/origin/${gitlabSourceBranch}^{commit} # timeout=10
ERROR: Couldn’t find any revision to build. Verify the repository and branch configuration for this job.
————————————————————-
Do you have any idea, what I am doing wrong?