stash-pullrequest-builder-plugin | A Jenkins plugin for Building Stash Pull Requests | Plugin library

Jenkins was changed in version 2.3 to disallow adding parameters to a build if they are not declared in the project configuration. The motivation was to prevent a security issue when a project controlled by an attacker invokes another project with arbitrary parameters. Since the parameters are seen as environment variables by the build scripts, the attacker could make the build load an untrusted library. Since its possible for different projects to be controlled by different users and run with different privileges, such behavior would allow the attacker to exploit permissions of a project he or she is not allowed to configure. The issue is known as SECURITY-170.

Stash Pull Request Builder was adding 10 parameters to the build to provide information about the pull request being built. Following the SECURITY-170 implementation, the plugin was changed in version 1.7.0 to pass those values as environment variables as well. Those environment variables are recorded to the build history. They can be viewed if Build Environment Plugin is installed.

Starting with version 1.9, Stash Pull Request Builder plugin removed the old mechanism of passing pull request data through parameters, as it was causing a large number of warnings in the Jenkins log.

The plugin's README.md file has just been updated to use the term "environment variables" to avoid confusion.

If you really need parameters, you can define them for the project. Starting with the next version of the plugin (presumably 1.11), the configured parameters will be populated with the same values that are available through the environment variables.