Jenkins builds of GitLab branches stopped working due to security patch

There have been some security patches to Jenkins recently, which have stopped some plugins from working – in our case, the Gitlab Merge Request Builder Plugin.

Parameters that used to get passed in as part of a trigger to build a branch stopped being passed through.

Errors in the Jenkins build console output looked like this – you can see that ${gitlabSourceBranch} is not being replaced properly with the branch name:

git config remote.refs/remotes/origin/${gitlabSourceBranch}.url git@git.dev53.co.uk:specialproject/specialrepo.git # timeout=10

And the log file had lots of entries like this:

May 17, 2016 9:25:33 AM hudson.model.ParametersAction filter
WARNING: Skipped parameter `gitlabSourceBranch` as it is undefined on `knowmalaria-merge`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

To get the branches building again, we had to update the parameters that the Jenkins server is started with.

In /etc/init.d/jenkins, set up a list of the parameters that the build will need :


# allow parameters to be passed in to gitlab builds
ALLOW_GITLAB_PARAMETERS="-Dhudson.model.ParametersAction.safeParameters=gitlabMergeRequestIid,gitlabSourceRepository,gitlabMergeRequestId,gitlabTargetBranch,gitlabSourceBranch,gitlabDescription,gitlabSourceName"

and pass those parameters to the process at startup:


# --user in daemon doesn't prepare environment variables like HOME, USER, LOGNAME or USERNAME,
# so we let su do so for us now
$SU -l $JENKINS_USER --shell=/bin/bash -c "$DAEMON $DAEMON_ARGS -- $JAVA $JAVA_ARGS $ALLOW_GITLAB_PARAMETERS -jar $JENKINS_WAR $JENKINS_ARGS" || return 2

Then restart your Jenkins server:

sudo service jenkins restart

You may have a different list of parameters that need to be passed to the build – check the ‘parameters’ page for one of your previous builds.

See more description of the original security flaw here:

http://www.infoworld.com/article/3070093/security/jenkins-security-patches-could-break-plug-ins.html
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Two-Legged OAuth with the Google Drive API in Ruby

Google are discontinuing support for the Documents List API, and moving to the Drive API.

The old API supported authentication with a username and password, but that’s not allowed in the new API. Instead, you need to use OAuth for access.

If you want to have server-to-server authentication, without user interaction, you need a “two-legged” OAuth process, where a token is obtained with an encrypted request and then used for future service requests.

Continue reading Two-Legged OAuth with the Google Drive API in Ruby

from_sentence : the opposite of Rails to_sentence

I like the Rails to_sentence method on String class, which converts an array to a comma-separated sentence where the last element is joined by a connector word.

It makes it easy to take a list of names, for example, and make them human-readable, without having to fiddle with join words and last-item-is-special-case stuff:

['one', 'two'].to_sentence          # => "one and two"
['one', 'two', 'three'].to_sentence # => "one, two, and three"

Continue reading from_sentence : the opposite of Rails to_sentence

Sublime Text 3 : keyboard shortcut to reveal file in sidebar

To see where your current file is in the folder sidebar, you can install SyncedSideBar.

However, that has some side effects – sometimes, even if you’ve hidden the sidebar, it pops back up when you switch between files, or search.

Continue reading Sublime Text 3 : keyboard shortcut to reveal file in sidebar