Password stored in plain text

tabeyti / jenkins-jack

Jack into your Jenkins to execute Pipeline scripts, provide Pipeline step autocompletions, pull Shared Library step documenation, run console groovy scripts across multiple nodes, and more! Honestly, not that much more.

Other

101 stars 32 forks source link

Password stored in plain text #46

Open rkiss opened 3 years ago

rkiss commented 3 years ago

The username and password used to connect to a Jenkins instance is stored in plain text in the json file. This is a security issue.

tabeyti commented 3 years ago

@rkiss I recommend using authentication tokens instead of your user password when configuring your connection. As far as the authentication token living in the json file, that definitely is a security concern, but there are no immediate plans for integrating with any password/credentials services like Vault right now.

If we see more of a need surrounding the request, we can re-evaluate the priority on the enhancement.

bendem commented 3 years ago

I find this extension awesome, but this is a dealbreaker. I'm not storing my password in random config files, especially jenkins credentials which basically give access to all the servers we deploy to (if you can create a pipeline, you can basically execute anything on any server). I'd be great if the extension prompted for the password when connecting and kept it in memory.