search

jenkinsci / bitbucket-branch-source-plugin

Bitbucket Branch Source Plugin
https://plugins.jenkins.io/cloudbees-bitbucket-branch-source
MIT License
216 stars 351 forks source link

BitBucket SCM url contains token in URL #607

Closed Hildebrand-Ritense closed 3 days ago

Hildebrand-Ritense commented 2 years ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.350 OS: Linux - 4.14.275-142.503.amzn1.x86_64 --- ace-editor:1.1 amazon-ecr:1.73.v741d474abe74 analysis-model-api:10.10.1 antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-1.0 authentication-tokens:1.4 autocomplete-parameter:1.1 aws-beanstalk-publisher-plugin:1.8.2 aws-credentials:191.vcb_f183ce58b_9 aws-java-sdk:1.12.215-339.vdc07efc5320c aws-java-sdk-cloudformation:1.12.215-339.vdc07efc5320c aws-java-sdk-codebuild:1.12.215-339.vdc07efc5320c aws-java-sdk-ec2:1.12.215-339.vdc07efc5320c aws-java-sdk-ecr:1.12.215-339.vdc07efc5320c aws-java-sdk-ecs:1.12.215-339.vdc07efc5320c aws-java-sdk-elasticbeanstalk:1.12.215-339.vdc07efc5320c aws-java-sdk-iam:1.12.215-339.vdc07efc5320c aws-java-sdk-logs:1.12.215-339.vdc07efc5320c aws-java-sdk-minimal:1.12.215-339.vdc07efc5320c aws-java-sdk-ssm:1.12.215-339.vdc07efc5320c basic-branch-build-strategies:1.3.2 bitbucket-oauth:0.12 bootstrap4-api:4.6.0-5 bootstrap5-api:5.1.3-7 bouncycastle-api:2.26 branch-api:2.1046.v0ca_37783ecc5 build-timeout:1.21 caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.7.4 cloudbees-bitbucket-branch-source:773.v4b_9b_005b_562b_ cloudbees-folder:6.729.v2b_9d1a_74d673 command-launcher:84.v4a_97f2027398 conditional-buildstep:1.4.2 config-file-provider:3.10.0 copyartifact:1.46.4 credentials:1129.vef26f5df883c credentials-binding:523.vd859a_4b_122e6 data-tables-api:1.11.4-4 delivery-pipeline-plugin:1.4.2 dependency-check-jenkins-plugin:5.1.2 display-url-api:2.3.6 docker-commons:1.19 docker-workflow:1.28 durable-task:496.va67c6f9eefa7 ec2-fleet:2.5.1 echarts-api:5.3.2-2 email-ext:2.88 envinject:2.866.v5c0403e3d4df envinject-api:1.199.v3ce31253ed13 font-awesome-api:6.1.1-1 forensics-api:1.13.0 git:4.11.3 git-client:3.11.0 git-server:1.11 github:1.34.3 github-api:1.303-400.v35c2d8258028 github-branch-source:1637.vd833b_7ca_7654 gradle:1.39 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 http_request:1.15 ignore-committer-strategy:1.0.4 jackson2-api:2.13.3-285.vc03c0256d517 javadoc:217.v905b_86277a_2a_ javax-activation-api:1.2.0-3 javax-mail-api:1.6.2-6 jaxb:2.3.6-1 jdk-tool:1.5 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.79 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.0-4 jsch:0.1.55.2 junit:1119.va_a_5e9068da_d7 lockable-resources:2.15 mailer:414.vcc4c33714601 matrix-project:771.v574584b_39e60 maven-plugin:3.19 mercurial:2.16.2 momentjs:1.1.1 next-build-number:1.8 nodejs:1.5.1 okhttp-api:4.9.3-105.vb96869f8ac3a parameterized-trigger:2.44 pipeline-aws:1.43 pipeline-build-step:2.18 pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:591.v3a_7f422b_d058 pipeline-input-step:448.v37cea_9a_10a_70 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2086.v12b_420f036e5 pipeline-model-definition:2.2086.v12b_420f036e5 pipeline-model-extensions:2.2086.v12b_420f036e5 pipeline-rest-api:2.24 pipeline-stage-step:293.v200037eefcd5 pipeline-stage-tags-metadata:2.2086.v12b_420f036e5 pipeline-stage-view:2.24 plain-credentials:1.8 plugin-util-api:2.17.0 popper-api:1.16.1-3 popper2-api:2.11.5-2 prism-api:1.28.0-2 remote-file:1.22 resource-disposer:0.19 run-condition:1.5 scm-api:608.vfa_f971c5a_a_e9 script-security:1175.v4b_d517d6db_f0 slack:608.v19e3b_44b_b_9ff snakeyaml-api:1.30.1 sonar:2.14 ssh-credentials:277.v95c2fec1c047 ssh-slaves:1.814.vc82988f54b_10 sshd:3.237.v883d165a_c1d3 structs:318.va_f3ccb_729b_71 timestamper:1.17 token-macro:293.v283932a_0a_b_49 trilead-api:1.57.v6e90e07157e1 variant:1.4 warnings-ng:9.12.0 workflow-aggregator:581.v0c46fa_697ffd workflow-api:1164.v760c223ddb_32 workflow-basic-steps:948.v2c72a_091b_b_68 workflow-cps:2725.v7b_c717eb_12ce workflow-durable-task-step:1144.vd77b_57189936 workflow-job:1186.v8def1a_5f3944 workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:625.vd896b_f445a_f8 workflow-support:820.vd1a_6cc65ef33 ws-cleanup:0.42 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux 4.14.275-142.503.amzn1.x86_64 #1 SMP Fri Apr 15 00:03:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Reproduction steps

  1. Navigate to a multibranch pipeline project
  2. Select a branch
  3. Select a build
  4. Inspect the SCM repository URL

Expected Results

https://bitbucket.org/MyWorkspace/my-repo

Actual Results

Repository: https://x-token-auth:{my_very_long_and_random_token}@bitbucket.org/MyWorkspace/my-repo.git

Anything else?

For some reason all of a sudden the full BitBucket auth token is shown in plain text on every build page and in the console logs. It's unclear to me which dependency exactly has caused this, but I'm guessing it's got something to do with BitBucket or SSH auth as I'm not seeing the same with Multibranch GitHub projects.

It seems not necessary to include the token, even in plain sight, in the display URL, or at all. Who can explain this change?

Slightly related: https://issues.jenkins.io/browse/JENKINS-66692?jql=resolution%20is%20EMPTY%20AND%20component%20%3D%20bitbucket-branch-source-plugin

Hildebrand-Ritense commented 2 years ago

I've further looked into this and it's only occurring when using OAuth credentials. My solution now is to use an App password instead.

For others stumbling across this; switch from using OAuth credentials to App passwords.

rgaduput commented 1 year ago

Hi, App passwords are tied to an individual account which makes it hard to use for pipelines. plugin showing token in logs and also build git changes which is a security issue. Any idea if there is some plan to fix it?

Thanks.

bohdantverdyi commented 1 year ago

+1 There is no reason to use OAuth credentials, since it's not secure(

nfalco79 commented 3 days ago

Fixed by SECURITY-3363