Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-13817

Jenkins Displays Accurev Password in Logs

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: accurev-plugin
    • Labels:
      None
    • Environment:
      windows
    • Similar Issues:

      Description

      When an accurev command fails, it displays the users' password in plain text. You can see below that the password is properly obscured (with asterisks) when the authentication takes place.

      Unfortunately, the password is actually displayed in the fatal network error line. Note that I manually changed it to ^^^^ when I pasted the text into this bug report.

      Error text:

      Started by user anonymous
      Building remotely on TestReport in workspace D:\jenkins-slave\workspace\Test_Report_06_04_00_Budgeting_kvh223_WFOP_Macys_ora
      Purging workspace...
      Workspace purged.
      Setting ACCUREV_HOME to "D:\jenkins-slave\workspace"
      Authenticating with Accurev server...
      [Test_Report_06_04_00_Budgeting_kvh223_WFOP_Macys_ora] $ "C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H engaccurev:5051 tim.johnston ********
      FATAL: network error - Can't connect to engaccurev.kronos.com for accurev: The operation completed successfully.
      Attempt to contact AccuRev server on engaccurev port 5051 failed.
      Giving up.
      AccuRev Error: 1

      FATAL: login ("C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H engaccurev:5051 tim.johnston ^^^^^^^) failed with exit code 1
      Archiving artifacts
      Recording test results
      Notifying upstream projects of job completion
      Finished: FAILURE

        Attachments

          Activity

          Hide
          dsimmon David Simmon added a comment -

          I too have found this password unmasked in the emails that are sent. I've never used GitHub, so I don't know if this is something I can look for, and submit a but fix too, but I wanted to add where I was seeing this issue.

          We had a network connectivity issue, and when it sent an email that the build failed it included the command that was executed twice. The first time it masked the password.
          Authenticating with Accurev server...
          [workspace] $ "C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon ********

          Then at the bottom of the email it dumped out the full command with the password unmasked.
          FATAL: login ("C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon UNMASKEDPASSWORDWASDISPLAYEDHERE) failed with exit code 1

          Show
          dsimmon David Simmon added a comment - I too have found this password unmasked in the emails that are sent. I've never used GitHub, so I don't know if this is something I can look for, and submit a but fix too, but I wanted to add where I was seeing this issue. We had a network connectivity issue, and when it sent an email that the build failed it included the command that was executed twice. The first time it masked the password. Authenticating with Accurev server... [workspace] $ "C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon ******** Then at the bottom of the email it dumped out the full command with the password unmasked. FATAL: login ("C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon UNMASKEDPASSWORDWASDISPLAYEDHERE) failed with exit code 1
          Hide
          casz Joseph Petersen (old) added a comment -

          PR #28 includes a fix that will mask the password

          Show
          casz Joseph Petersen (old) added a comment - PR #28 includes a fix that will mask the password
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Joseph
          Path:
          src/main/java/hudson/plugins/accurev/AccurevLauncher.java
          src/main/java/hudson/plugins/accurev/AccurevPlugin.java
          src/main/java/hudson/plugins/accurev/AccurevSCM.java
          src/main/java/hudson/plugins/accurev/AccurevStream.java
          src/main/java/hudson/plugins/accurev/AccurevTransaction.java
          src/main/java/hudson/plugins/accurev/ParseChangeLog.java
          src/main/java/hudson/plugins/accurev/UUIDUtils.java
          src/main/java/hudson/plugins/accurev/cmd/Login.java
          src/main/java/hudson/plugins/accurev/cmd/PopulateCmd.java
          src/main/java/hudson/plugins/accurev/cmd/ShowStreams.java
          src/main/java/hudson/plugins/accurev/delegates/AbstractModeDelegate.java
          src/main/java/hudson/plugins/accurev/delegates/ReftreeDelegate.java
          src/main/java/hudson/plugins/accurev/delegates/SnapshotDelegate.java
          src/main/java/hudson/plugins/accurev/delegates/WorkspaceDelegate.java
          src/main/java/hudson/plugins/accurev/parsers/xml/ParseShowStreams.java
          src/main/java/hudson/plugins/jetty/security/Password.java
          src/main/resources/hudson/plugins/accurev/AccurevSCM/config.jelly
          src/main/resources/hudson/plugins/accurev/AccurevSCM/global.jelly
          http://jenkins-ci.org/commit/accurev-plugin/b8296bb9c55c924f48c91356fe9ba7d9e35d4298
          Log:
          Merged PR #28 from casz/master

          Poll failed searching in parents when “Show one stream at a time” was
          checked.
          Fixed regression in PR #25

          • Improved logic for Workspace

          Was not working with “One stream at a time” settings.

          • Fixed Change log on Ignore Parent

          getChangesFromStreams did not respect Ignore Stream Parent.

          • Fixed getStreamRules.

          IgnoreStreamParent should be the first to be considered, then One
          Stream at a time on server, then find all streams.

          Introduced unique identifiers, also added a migrator to ensure best
          compatibility moving forward.

          • Fixed backwards compatibility

          Made the Server UUID change fully backwards compatibility :tada:

          I cannot believe this has been open since 2012...

          • StringUtils used
          • Allow empty password even with OBF
          • Javadoc and removed unused migrate field

          These usually originate from accurev sync.

          • PR #24 fix PollOnMaster enabled when build using workspace

          builds that use workspace or reftree definitely requires workspace even
          if PollOnMaster enabled.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Joseph Path: src/main/java/hudson/plugins/accurev/AccurevLauncher.java src/main/java/hudson/plugins/accurev/AccurevPlugin.java src/main/java/hudson/plugins/accurev/AccurevSCM.java src/main/java/hudson/plugins/accurev/AccurevStream.java src/main/java/hudson/plugins/accurev/AccurevTransaction.java src/main/java/hudson/plugins/accurev/ParseChangeLog.java src/main/java/hudson/plugins/accurev/UUIDUtils.java src/main/java/hudson/plugins/accurev/cmd/Login.java src/main/java/hudson/plugins/accurev/cmd/PopulateCmd.java src/main/java/hudson/plugins/accurev/cmd/ShowStreams.java src/main/java/hudson/plugins/accurev/delegates/AbstractModeDelegate.java src/main/java/hudson/plugins/accurev/delegates/ReftreeDelegate.java src/main/java/hudson/plugins/accurev/delegates/SnapshotDelegate.java src/main/java/hudson/plugins/accurev/delegates/WorkspaceDelegate.java src/main/java/hudson/plugins/accurev/parsers/xml/ParseShowStreams.java src/main/java/hudson/plugins/jetty/security/Password.java src/main/resources/hudson/plugins/accurev/AccurevSCM/config.jelly src/main/resources/hudson/plugins/accurev/AccurevSCM/global.jelly http://jenkins-ci.org/commit/accurev-plugin/b8296bb9c55c924f48c91356fe9ba7d9e35d4298 Log: Merged PR #28 from casz/master JENKINS-28118 Fixed poll on ancestor Poll failed searching in parents when “Show one stream at a time” was checked. Fixed regression in PR #25 Improved logic for Workspace Was not working with “One stream at a time” settings. Fixed Change log on Ignore Parent getChangesFromStreams did not respect Ignore Stream Parent. Fixed getStreamRules. IgnoreStreamParent should be the first to be considered, then One Stream at a time on server, then find all streams. JENKINS-31316 Fixed server rename Introduced unique identifiers, also added a migrator to ensure best compatibility moving forward. Fixed backwards compatibility Made the Server UUID change fully backwards compatibility :tada: JENKINS-13817 Mask the damn password already I cannot believe this has been open since 2012... StringUtils used Allow empty password even with OBF Javadoc and removed unused migrate field JENKINS-24710 filter out dispatch transactions These usually originate from accurev sync. PR #24 fix PollOnMaster enabled when build using workspace builds that use workspace or reftree definitely requires workspace even if PollOnMaster enabled.
          Hide
          casz Joseph Petersen (old) added a comment -

          This should be fixed in latest version, if they start to reappear. Please reopen.

          Show
          casz Joseph Petersen (old) added a comment - This should be fixed in latest version, if they start to reappear. Please reopen.

            People

            • Assignee:
              jetersen Joseph Petersen
              Reporter:
              timjohnston tim johnston
            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: