Multiline secrets are not masked in console output

AdrianFarmadin commented 3 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.277.2
OS: Linux - 4.15.0-128-generic
---
hashicorp-vault-plugin:3.8.0

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux. This bug is OS independent

Reproduction steps

Save a secret with new line character in Vault. For example:
```
test
multi line
secret
```

Retrieve the secret with withVault closure

                withVault(vaultSecrets: [[path: 'secretPath',
                secretValues: [
                    [envVar: 'test', vaultKey: 'test']]]]) {
                    sh "echo \"$test\""
                }

the secret is printed in clear text in console output

Results

Expected result:

+ echo ****
****

Actual result:

+ echo test
multi line
secret
test
multi line
secret

jetersen commented 3 years ago

Not a bug, it's a known limitation of the Jenkins console. There is not much todo without making the whole console full of masks 😅

fcano commented 3 years ago

Although it is working as expected, would it be possible to mask all secrets when they are printed in the console or maybe replaced by a placeholder like \<SECRET-CONTENT>? By using the placeholder it wouldn't be necessary to make the whole console full of masks.

dorbeus commented 4 months ago

How do you work around this in your pipelines and your build logs?

jenkinsci / hashicorp-vault-plugin