search

jenkinsci / hashicorp-vault-plugin

Jenkins plugin to populate environment variables from secrets stored in HashiCorp's Vault.
https://plugins.jenkins.io/hashicorp-vault-plugin/
MIT License
217 stars 143 forks source link

Secrets not masked in Stage Logs UI when using wrap([$class: 'VaultBuildWrapper'... #203

Open nfoxmttr opened 2 years ago

nfoxmttr commented 2 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.319.1
OS: Linux - 5.10.76-linuxkit
---
ace-editor:1.1
ant:1.13
antisamy-markup-formatter:2.5
apache-httpcomponents-client-4-api:4.5.13-1.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-3
bouncycastle-api:2.25
branch-api:2.7.0
build-timeout:1.20
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.16
command-launcher:1.6
credentials:2.6.2
credentials-binding:1.27
display-url-api:2.3.5
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-1
email-ext:2.86
font-awesome-api:5.15.4-4
git:4.10.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.301-378.v9807bd746da5
github-branch-source:2.11.3
gradle:1.37.1
handlebars:3.0.8
hashicorp-vault-plugin:336.v182c0fbaaeb7
jackson2-api:2.13.0-230.v59243c64b0a5
jaxb:2.3.0.1
jdk-tool:1.5
jjwt-api:0.11.2-9.c8b45b8bb173
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
lockable-resources:2.12
mailer:1.34
matrix-auth:2.6.11
matrix-project:1.19
momentjs:1.1.1
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.6.1
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.12
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
plain-credentials:1.7
plugin-util-api:2.6.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
resource-disposer:0.16
scm-api:2.6.5
script-security:1.78
snakeyaml-api:1.29.1
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:308.v852b473a2b8c
timestamper:1.15
token-macro:267.vcdaea6462991
trilead-api:1.0.13
workflow-aggregator:2.6
workflow-api:1105.v3de5e2efac97
workflow-basic-steps:2.24
workflow-cps:2640.v00e79c8113de
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1102.v9c8d2f466adb
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:613.v375732a042b1
workflow-support:3.8
ws-cleanup:0.39
Linux (Docker Desktop version 20.10.11, build dea9396 on MacOS 11.6.1)
Docker contianer: jenkins/jenkins:2.319.1-lts-jdk11

Reproduction steps

Masking a secret with wrap([$class: 'VaultBuildWrapper'... fails on the Stage View

def secrets = [
    [path: 'secret/thesecret', secretValues: [
        [envVar: 'THESECRET', vaultKey: 'thekey']]]
]

pipeline {
    agent any
    stages {
        stage('Prepare') {
            steps {
                script {
                    wrap([$class: 'VaultBuildWrapper', vaultSecrets: secrets]) {
                        RUNCMD="""echo heres my secret: ${THESECRET} ..did it show up"""
                        sh "${RUNCMD}"
                    }
                }
            }
        }
    }
}

This produces the following:

failed

However, the same pipeline using withVault works fine.

def secrets = [
    [path: 'secret/thesecret', secretValues: [
        [envVar: 'THESECRET', vaultKey: 'thekey']]]
]

pipeline {
    agent any
    stages {
        stage('Prepare') {
            steps {
                script {
                    withVault([vaultSecrets: secrets]) {
                        RUNCMD="""echo heres my secret: ${THESECRET} ..did it show up"""
                        sh "${RUNCMD}"
                    }
                }
            }
        }
    }
}

success

Results

Expected result:

For it to show up like the latter.

Actual result:

See above.

pavankumarbugga commented 2 years ago

Even we are seeing this issue in our environment. We understand there is a simple fix to move out of double quotes to single quotes when invoking shell script in the pipeline. But we can't control our users to do that. It will be a good fix at plugin level.

Do let us know if some work is going on or some strategy to handle this secrets exposure.