Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12423

Password masked by Mask Passwords are visible when using envinject plugin

    Details

    • Similar Issues:

      Description

      If I use the mask-passwords plugin to create a masked password, and also use the envinject plugin to setup an environment, the masked password is visible from the "Injected Environment Variables" link for each build.

        Attachments

          Issue Links

            Activity

            rmyung Roger Myung created issue -
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: fchabanois
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
            http://jenkins-ci.org/commit/envinject-plugin/617aa5ee13baea71c2dfe9c52a644e82dfba5d42
            Log:
            Fixed JENKINS-12423

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: fchabanois Path: src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java http://jenkins-ci.org/commit/envinject-plugin/617aa5ee13baea71c2dfe9c52a644e82dfba5d42 Log: Fixed JENKINS-12423
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Florence.Chabanois
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
            src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
            http://jenkins-ci.org/commit/envinject-plugin/a33b4167582f6b244d45ad5ea57da77f5e2cbc12
            Log:
            Fix JENKINS-12423

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Florence.Chabanois Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java http://jenkins-ci.org/commit/envinject-plugin/a33b4167582f6b244d45ad5ea57da77f5e2cbc12 Log: Fix JENKINS-12423
            gbois Gregory Boissinot made changes -
            Field Original Value New Value
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Florence.Chabanois
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
            src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
            http://jenkins-ci.org/commit/envinject-plugin/72951ad6bd722fe908ba58c0f05e64ae70fa22d2
            Log:
            Fix JENKINS-12423

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Florence.Chabanois Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java http://jenkins-ci.org/commit/envinject-plugin/72951ad6bd722fe908ba58c0f05e64ae70fa22d2 Log: Fix JENKINS-12423
            Hide
            mwint Mike Winters added a comment -

            With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 2.7.2, the Perforce passwords are being displayed in plain text on the "Injected Environment Variables" page. I have tried setting the passwords to be masked in the global Jenkins config as well as in the individual jobs, but nothing I have tried is masking the passwords.

            Show
            mwint Mike Winters added a comment - With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 2.7.2, the Perforce passwords are being displayed in plain text on the "Injected Environment Variables" page. I have tried setting the passwords to be masked in the global Jenkins config as well as in the individual jobs, but nothing I have tried is masking the passwords.
            mwint Mike Winters made changes -
            Environment envinject 1.9
            mask-passwords 2.7.2
            Jenkins ver. 1.424.1
            Windows
            envinject 1.9
            mask-passwords 2.7.2
            Jenkins ver. 1.424.1
            Windows
            Perforce plugin 1.3.7
            Component/s perforce [ 15506 ]
            Hide
            mwint Mike Winters added a comment -

            Re-opening due to non-masking of Perforce passwords.

            Show
            mwint Mike Winters added a comment - Re-opening due to non-masking of Perforce passwords.
            mwint Mike Winters made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Hide
            gbois Gregory Boissinot added a comment -

            I tested and I have reproduced the problem with the EnvInject and the mask-passwords plugins.

            Native password parameters (provided by Jenkins core) are masked.
            However, passwords provided by the mask-passwords plugin are visible.

            The problem is due to the mask-passwords plugin uses custom password parameters (labeled Non stored password) and the envinject is not aware of the this specific new type.
            Technically, mask-passwords plugin use the class 'com.michelin.cio.hudson.plugins.passwordparam.PasswordParameterValue' and the envinject plugin is not aware of this class.
            We know if it is a password parameter only by the class itself and not by an inherited property set to a specific value (such as boolean).

            Show
            gbois Gregory Boissinot added a comment - I tested and I have reproduced the problem with the EnvInject and the mask-passwords plugins. Native password parameters (provided by Jenkins core) are masked. However, passwords provided by the mask-passwords plugin are visible. The problem is due to the mask-passwords plugin uses custom password parameters (labeled Non stored password) and the envinject is not aware of the this specific new type. Technically, mask-passwords plugin use the class 'com.michelin.cio.hudson.plugins.passwordparam.PasswordParameterValue' and the envinject plugin is not aware of this class. We know if it is a password parameter only by the class itself and not by an inherited property set to a specific value (such as boolean).
            Hide
            mwint Mike Winters added a comment -

            In the case of the Perforce passwords, the issue was happening before I installed the Mask Passwords plugin (I only installed that in an attempt to hide the passwords). It seems that perhaps the Perforce plugin (and plugins for other source control systems?) are exposing the passwords in a way that the EnvInject plugin doesn't know to look for. I'm not sure where the best place to fix this is, or what the optimal fix should be, as I am not familiar with the Jenkins codebase or the code for any of the relevant plugins. However, the quicker a solution can be implemented, the happier I will be . Thanks!

            Show
            mwint Mike Winters added a comment - In the case of the Perforce passwords, the issue was happening before I installed the Mask Passwords plugin (I only installed that in an attempt to hide the passwords). It seems that perhaps the Perforce plugin (and plugins for other source control systems?) are exposing the passwords in a way that the EnvInject plugin doesn't know to look for. I'm not sure where the best place to fix this is, or what the optimal fix should be, as I am not familiar with the Jenkins codebase or the code for any of the relevant plugins. However, the quicker a solution can be implemented, the happier I will be . Thanks!
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
            src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
            http://jenkins-ci.org/commit/envinject-plugin/a7a11d9ca6ad9ca109b0a601aae7b3b5e2309d56
            Log:
            Fix JENKINS-12423

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java http://jenkins-ci.org/commit/envinject-plugin/a7a11d9ca6ad9ca109b0a601aae7b3b5e2309d56 Log: Fix JENKINS-12423
            Hide
            gbois Gregory Boissinot added a comment - - edited

            I provided a hack on my envinject plugin to fix this issue.
            This tip should work in most cases.
            I tested with mask-passwords plugin combined with the envinject plugin, it seems to be OK.

            Regarding the perforce plugin, I don't know and I don't have this tool. And due to the complexity of its installation, I don't have
            tested with the perforce plugin.

            If the issue persists with only the perforce plugin (it's ok with the envinject and the mask-passwords plugin), reopened it with only the perforce component).

            Show
            gbois Gregory Boissinot added a comment - - edited I provided a hack on my envinject plugin to fix this issue. This tip should work in most cases. I tested with mask-passwords plugin combined with the envinject plugin, it seems to be OK. Regarding the perforce plugin, I don't know and I don't have this tool. And due to the complexity of its installation, I don't have tested with the perforce plugin. If the issue persists with only the perforce plugin (it's ok with the envinject and the mask-passwords plugin), reopened it with only the perforce component).
            gbois Gregory Boissinot made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            mwint Mike Winters added a comment -

            From JENKINS-12747:
            On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those.

            Show
            mwint Mike Winters added a comment - From JENKINS-12747 : On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those.
            mwint Mike Winters made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Hide
            gbois Gregory Boissinot added a comment -

            You're right.
            I forgot to test global passwords with the mask-passords plugin.
            However job password parameters (in the core and in the core passwords plugin) works as expected in the envinject plugin.

            I looked at the code. It's a big issue.
            Does it suit you if you manage global passwords by the EnvInject plugin. In my opinion, managing passwords directly in the envinject plugin is the best way to deal with this issue.

            Show
            gbois Gregory Boissinot added a comment - You're right. I forgot to test global passwords with the mask-passords plugin. However job password parameters (in the core and in the core passwords plugin) works as expected in the envinject plugin. I looked at the code. It's a big issue. Does it suit you if you manage global passwords by the EnvInject plugin. In my opinion, managing passwords directly in the envinject plugin is the best way to deal with this issue.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordEntry.java
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordWrapper.java
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty.java
            src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectGlobalPasswordRetriever.java
            src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/global.jelly
            src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-name.html
            src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-password.html
            src/main/resources/org/jenkinsci/plugins/envinject/Messages.properties
            src/main/webapp/help-buildWrapperGlobalPasswords.html
            http://jenkins-ci.org/commit/envinject-plugin/9bbe67a0f9cb48c511d679724fb857e6e6e8cd53
            Log:
            Add the ability to inject global passwords in the EnvInject plugin
            Fix JENKINS-12423

            Compare: https://github.com/jenkinsci/envinject-plugin/compare/842c9d5...9bbe67a

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordEntry.java src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordWrapper.java src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java src/main/java/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty.java src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectGlobalPasswordRetriever.java src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/global.jelly src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-name.html src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-password.html src/main/resources/org/jenkinsci/plugins/envinject/Messages.properties src/main/webapp/help-buildWrapperGlobalPasswords.html http://jenkins-ci.org/commit/envinject-plugin/9bbe67a0f9cb48c511d679724fb857e6e6e8cd53 Log: Add the ability to inject global passwords in the EnvInject plugin Fix JENKINS-12423 Compare: https://github.com/jenkinsci/envinject-plugin/compare/842c9d5...9bbe67a
            Hide
            gbois Gregory Boissinot added a comment -

            Use passwords by the envinject plugin should fix the issue

            Show
            gbois Gregory Boissinot added a comment - Use passwords by the envinject plugin should fix the issue
            gbois Gregory Boissinot made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            walterk82 Walter Kacynski made changes -
            Link This issue is related to JENKINS-12161 [ JENKINS-12161 ]
            Hide
            walterk82 Walter Kacynski added a comment -

            I'm trying to work thru this issue as well but I can't seem to find the necessary options to hide this information from the Injected Environment Variables screen. I also found JENKINS-12161 and linked that in, but it doesn't seem to make a difference.

            Show
            walterk82 Walter Kacynski added a comment - I'm trying to work thru this issue as well but I can't seem to find the necessary options to hide this information from the Injected Environment Variables screen. I also found JENKINS-12161 and linked that in, but it doesn't seem to make a difference.
            walterk82 Walter Kacynski made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Hide
            gbois Gregory Boissinot added a comment -

            In >Manage Jenkins> Configure System
            Add global password

            Then, in the job configuration page
            in the Build environment section, check 'Inject global passwords as environment variables'

            Show
            gbois Gregory Boissinot added a comment - In >Manage Jenkins> Configure System Add global password Then, in the job configuration page in the Build environment section, check 'Inject global passwords as environment variables'
            gbois Gregory Boissinot made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            nnau Natalia Naumova added a comment -

            jenkins 1.463
            Envinject 1.50
            mask-password 2.7.2
            still reproducible

            Show
            nnau Natalia Naumova added a comment - jenkins 1.463 Envinject 1.50 mask-password 2.7.2 still reproducible
            nnau Natalia Naumova made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Hide
            gbois Gregory Boissinot added a comment -

            There is an incompatibility between the maskpassword plugin and the envinject jenkins plugin. Both can't interact. MaskPasswork provides its own class and EnvInject can't retreive them dynamically.
            With the fix, EnvInject plugin incorporates all features of the Mask password plugin.
            You no longer need of the maskpasswords plugin. For now, you inject passwords variables (global passwords - aka for all jobs, and job password) with only the EnvInject plugin.

            Process in your job configuration,
            > Build Environment > Inject passwords to the build as environment variables

            Show
            gbois Gregory Boissinot added a comment - There is an incompatibility between the maskpassword plugin and the envinject jenkins plugin. Both can't interact. MaskPasswork provides its own class and EnvInject can't retreive them dynamically. With the fix, EnvInject plugin incorporates all features of the Mask password plugin. You no longer need of the maskpasswords plugin. For now, you inject passwords variables (global passwords - aka for all jobs, and job password) with only the EnvInject plugin. Process in your job configuration, > Build Environment > Inject passwords to the build as environment variables
            gbois Gregory Boissinot made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            nnau Natalia Naumova added a comment - - edited

            Gregory- thanks for the explanation, but it doesn't work for me.
            I tried to use 'Build Environment > Inject passwords to the build as environment variables' configuration, but the passwords are still displayed in plain text on the "Injected Environment Variables" page.
            How can I hide them there? It's really a very important thing for us..

            P.S.: they are masked on console page though.
            P.P.S.: noticed that they are visible only when job is running. When the job is finished - that the password variable is displayed like a hash. Is it secure?

            Show
            nnau Natalia Naumova added a comment - - edited Gregory- thanks for the explanation, but it doesn't work for me. I tried to use 'Build Environment > Inject passwords to the build as environment variables' configuration, but the passwords are still displayed in plain text on the "Injected Environment Variables" page. How can I hide them there? It's really a very important thing for us.. P.S.: they are masked on console page though. P.P.S.: noticed that they are visible only when job is running. When the job is finished - that the password variable is displayed like a hash. Is it secure?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectVarList/index.jelly
            http://jenkins-ci.org/commit/envinject-plugin/aa6061cd7880be3ba205249d3a7b2a66605280af
            Log:
            Fix JENKINS-12423 complement
            No display environment variables when the job is building (enable to mask password)

            Compare: https://github.com/jenkinsci/envinject-plugin/compare/4c3e2de...aa6061c

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectVarList/index.jelly http://jenkins-ci.org/commit/envinject-plugin/aa6061cd7880be3ba205249d3a7b2a66605280af Log: Fix JENKINS-12423 complement No display environment variables when the job is building (enable to mask password) Compare: https://github.com/jenkinsci/envinject-plugin/compare/4c3e2de...aa6061c
            Hide
            gbois Gregory Boissinot added a comment -

            You're right.
            Environment variables were displayed when the job is running and password variables were not masked.
            All env vars are hidden for now when the job is running.
            It should fix your issue.
            Then, displayed values are encrypted. The hash value displayed is an encrypted value.

            Show
            gbois Gregory Boissinot added a comment - You're right. Environment variables were displayed when the job is running and password variables were not masked. All env vars are hidden for now when the job is running. It should fix your issue. Then, displayed values are encrypted. The hash value displayed is an encrypted value.
            Hide
            nnau Natalia Naumova added a comment -

            Gregory, thank you very much for your quick help.
            Looking forward to try it when the new version of the plugin will be released.

            Show
            nnau Natalia Naumova added a comment - Gregory, thank you very much for your quick help. Looking forward to try it when the new version of the plugin will be released.
            Show
            gbois Gregory Boissinot added a comment - It is already released. Please upgrade to 1.52 http://maven.jenkins-ci.org:8081/content/repositories/releases/org/jenkins-ci/plugins/envinject/1.52/
            Hide
            walterk82 Walter Kacynski added a comment - - edited

            Running EnvInject 1.62 and Jenkins 1.473 and I'm still having an issue trying to get this to work. It seems that when using a parametrized build, the "password" type field is not being masked. If I use the masked password plugin the console output is correctly masked, but the unencrypted password ALWAYS shows on the Injected environment variables screen.

            Show
            walterk82 Walter Kacynski added a comment - - edited Running EnvInject 1.62 and Jenkins 1.473 and I'm still having an issue trying to get this to work. It seems that when using a parametrized build, the "password" type field is not being masked. If I use the masked password plugin the console output is correctly masked, but the unencrypted password ALWAYS shows on the Injected environment variables screen.
            walterk82 Walter Kacynski made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Hide
            gbois Gregory Boissinot added a comment -

            @Walter
            It seems you are using the maskpasswork plugin via a parameterized type.
            This plugin is not compatible with EnvInject plugin.
            Mak-password capabilities within EnvInject should be sufficient for your need.
            You have to use Build Environment > Inject passwords to the build as environment variables

            Show
            gbois Gregory Boissinot added a comment - @Walter It seems you are using the maskpasswork plugin via a parameterized type. This plugin is not compatible with EnvInject plugin. Mak-password capabilities within EnvInject should be sufficient for your need. You have to use Build Environment > Inject passwords to the build as environment variables
            Hide
            walterk82 Walter Kacynski added a comment -

            I just want to clarify, I thought that a password parameter is from an Out-of-the-box Jenkins installation. I don't have the mask passwords plugin enabled.

            Show
            walterk82 Walter Kacynski added a comment - I just want to clarify, I thought that a password parameter is from an Out-of-the-box Jenkins installation. I don't have the mask passwords plugin enabled.
            Hide
            gbois Gregory Boissinot added a comment -

            If you don't use the maskpassword plugin, your comment is inappropriate in this issue.
            Please make a new issue?
            Thanks

            Show
            gbois Gregory Boissinot added a comment - If you don't use the maskpassword plugin, your comment is inappropriate in this issue. Please make a new issue? Thanks
            Hide
            gbois Gregory Boissinot added a comment -

            This issue with the mask-password plugin is fixed.

            Show
            gbois Gregory Boissinot added a comment - This issue with the mask-password plugin is fixed.
            gbois Gregory Boissinot made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            walterk82 Walter Kacynski added a comment -

            Agreed, sorry for the confusion, I will give 1.65 a try.

            Show
            walterk82 Walter Kacynski added a comment - Agreed, sorry for the confusion, I will give 1.65 a try.
            Hide
            walterk82 Walter Kacynski added a comment -

            Version 1.65 is working as I would expect it. Thank-You!

            Show
            walterk82 Walter Kacynski added a comment - Version 1.65 is working as I would expect it. Thank-You!
            walterk82 Walter Kacynski made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-23447 [ JENKINS-23447 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 142789 ] JNJira + In-Review [ 205610 ]
            ircbot Jenkins IRC Bot made changes -
            Component/s p4-plugin [ 19224 ]
            Component/s perforce-plugin [ 15506 ]

              People

              • Assignee:
                gbois Gregory Boissinot
                Reporter:
                rmyung Roger Myung
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: