search

cyberark / conjur-teamcity-plugin

TeamCity plugin so that TeamCity jobs/builds can retrieve credentials from Conjur when a job/build is kicked off.
Apache License 2.0
0 stars 2 forks source link

Security: the connection details are being published as plain-text build parameters #7

Closed ptoman-cisco closed 1 year ago

ptoman-cisco commented 2 years ago

Summary

The server-side plugin code reads the Conjur Connection details and adds these properties into the build when it is started on the server. Then the agent-side plugin code reads those parameters, establishes a connection to Conjur, and reads the secrets as necessary. Unfortunately, the connection details remain in the teamcity.conjur.* parameters, including the API key.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Define a Conjur connection in a TC project
  2. Run a build in that project
  3. After it finishes, go to Parameters
  4. See the parameters e.g. teamcity.conjur.apiKey

Expected Results

The parameters should not be visible, at least not the API key.

Actual Results (including error logs, if applicable)

API key is visible in plaintext.

Reproducible

Version/Tag number

TC 2022.04.2, Conjur plugin v0.0.1.

Environment setup

MacOS 12.5.1

Additional Information

TC running locally or on a dedicated server.

ptoman-cisco commented 1 year ago

@jtuttle , @infamousjoeg , could you take a look please? This PR fixes #7 - as explained in the reply to your query a while ago.