Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10326

Password is exposed in build metadata.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: perforce-plugin
    • Labels:
      None
    • Environment:
      Perforce Plugin 1.2.8

      Description

      I've recently discovered that the perforce plugin stores the perforce password plain text in the build.xml files used for serializing build information. This seems to be a side effect of the PerforceTagAction including the Depot object for later use during tagging, which has the password inside it. This may or may not depend upon JENKINS-2947, as that would eliminate the need for the Depot object to be stored.

        Activity

        Hide
        miktap Mikko Tapaninen added a comment -

        Has there been any progress on this one? Any insight to give what to actually look at if we fix it on our end and provide a patch later?

        Show
        miktap Mikko Tapaninen added a comment - Has there been any progress on this one? Any insight to give what to actually look at if we fix it on our end and provide a patch later?
        Hide
        rpetti Rob Petti added a comment -

        No progress has been made, mostly because it isn't an issue so long as your server is secure. If you want, you can look at the PerforceTagAction implementation. It should be changed so that instead of storing the Depot object as a member variable, it calls getDepot on the PerforceSCM object for the project in question when it's needed. That will prevent the password from being serialized in plain text, while still allowing tagging to work. At least that's the theory...

        I should point out that this is only an issue if you grant access to the build metadata in the first place (ie, the build.xml files within the Jenkins home directory). It's important to realize that if other people have access to the Jenkins XML files, fixing this issue will not make your server any more secure. The password is still stored in encrypted form in the project config xml, but it's easily decrypted by someone who knows where to look for the decryption algorithm.

        Show
        rpetti Rob Petti added a comment - No progress has been made, mostly because it isn't an issue so long as your server is secure. If you want, you can look at the PerforceTagAction implementation. It should be changed so that instead of storing the Depot object as a member variable, it calls getDepot on the PerforceSCM object for the project in question when it's needed. That will prevent the password from being serialized in plain text, while still allowing tagging to work. At least that's the theory... I should point out that this is only an issue if you grant access to the build metadata in the first place (ie, the build.xml files within the Jenkins home directory). It's important to realize that if other people have access to the Jenkins XML files, fixing this issue will not make your server any more secure . The password is still stored in encrypted form in the project config xml, but it's easily decrypted by someone who knows where to look for the decryption algorithm.
        Hide
        miktap Mikko Tapaninen added a comment -

        Thanks Rob. I'll let you know if we start fixing this.

        Show
        miktap Mikko Tapaninen added a comment - Thanks Rob. I'll let you know if we start fixing this.

          People

          • Assignee:
            rpetti Rob Petti
            Reporter:
            rpetti Rob Petti
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: