Open timja opened 5 years ago
Seeing strange behavior
if I use below echo then password is not printed in top level step
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: pwd, var: user]]]) {
this.sh(script: "echo pwd is : ${pwd} and uesr : ${user} abc0-myrepo2-0-prd.site.my.net").toString().trim()
}
but if i remove abc0-myrepo2-0-prd.site.my.net then header shows the pwd.
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: pwd, var: user]]]) {
this.sh(script: "echo pwd is : ${pwd} and user : ${user} ").toString().trim()
}
Adding here for reference to whoever is working on fixing this. Thanks.
Hi,
I am facing the same issue but for me also the pipeline steps view (flowGraphTable) is affected and reveals all my sensitive data. I also tried using the log file filter plugin as well but the same behaviour could be observed.
The issue can be explored by using the following pipeline snippet:
node {
def someSecret = "someSecret"
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: someSecret]]])
{
echo "Secret String: " + someSecret
}
}
The console + raw log is hiding the secret properly:
Blue Ocean UI reveals the secret inside the header:
Pipeline Steps View reveals secrets as well:
Is there anything I am doing wrong here or is there another approach recommended for hiding sensitive data? Any help to solve the issue is highly appreciated.
Best Regards,
Simon
This is also happening with workflow-cps 2.87 and mask-passwords 2.13. This seems to be a huge security flaw which was somehow introduced in some recent update of workflow-cps. I'm actually surprised how not many more people are talking about this.
Is there any workaround or the only solution is to downgrade workflow-cps?
Hello there,
This is quite a serius matter!!! Is anyone taking care of this???
Credentials as parameters are displayed in plain text.
password(defaultValue: '', description: 'Password', name: "pass"),
Even if you mouseover the credentials are displayed in plaintext.
Kind regards,
JD
The workaround that my team used was to add the secret variables in a withEnv block like this:
withEnv([PASSWORD=mypassword]) { sh echo $PASSWORD }
This would stop the pipeline steps from showing the command and instead would just print "Shell Script".
This is a workaround - I really hope the team fix this soon as it is a big security flaw
I did manage to get this working using pritam35's suggestion. The trick is to use single-quotes per documentation spec here: jenkins.io/doc/pipeline/steps/credentials-binding/ Same logic with env variable interpolation seems to apply.
Here's a working config that is masked both in logs and in the BlueOcean step header.
token = "super-secret-sauce" final URL="https://${token}@url.io/" wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: URL]]]) { withEnv(["URL=${URL}"]) { curlOut = this.sh(script: 'curl -s -w \"%{http_code}\" $URL', returnStdout:true) curlHttpCode=curlOut.replaceAll("\\s","").replaceAll("\\n|\\r","").replaceAll("\\{|\\}","") echo curlHttpCode assert curlHttpCode.equals("200") } }
The documentation says it is not recommended to use groovy string interpolation with secrets. See JENKINS-47101. \
If you follow that recommendation and use single-quotes string literals there is no issue.
try to use groovy escape sign "\" in fornt of dollar sign in double quote content
withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \
keystoreVariable: 'CERTIFICATE_FOR_XYZ', \
passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) {
sh """
echo \${XYZ-CERTIFICATE-PASSWORD}
"""
When utilizing the "Mask Passwords Plugin" https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugin
In a Jenkins Pipeline Job as follows:
Within the "normal" jenkins job logs - this is properly masked as expected- and appears as follows:
+ /bin/bash script.sh -p ********
When viewing these same log(s) in the "BlueOcean" Pane - the top level step displays the commandline including the password in plaintext. When selecting the "dropdown" on this item within blueocean - the log display(s) the same commandline with the properly "masked" data.
Top Level/Label in Blue Ocean:
/bin/bash script.sh -p mysupersekr3tp@sswordstuffz
Drop-Down in Blue Ocean:
+ /bin/bash script.sh -p ********
I'm not sure if there is some configuration i need to make within BlueOcean, but "normal" logs are masked properly, it is only "BlueOcean" logs which seem unmasked (even though when selecting the drop-down - the log is again masked.
Version(s):
Jenkins 2.176.1
BlueOcean Plugin: 1.17.0
Mask Passwords Plugin 2.12.0
Note: I selected "componenets: core" as i "think" the BlueOcean Plugin is technically "core" now - and there isn't a component for "BlueOcean Specifically.
Originally reported by jlang1, imported from: BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data