Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19830

Masked Password visible as plain text in Msbuild Plugin

    Details

    • Similar Issues:

      Description

            • VERY CRITICAL *****

      Masked Password Clearly visible.

      When Pass build variables as properties is marked as true. Global password will be clearly visible in console output. It was found in version 1.20, it was not in version 1.16.

      Please Fix this issue as soon as possible, as it is a security threat for us.

      For reference attaching image. in which global declared password visible clearly with msbuild command.

      but not visible when i echo in windows batch command.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            I can find no indication that this plugin makes any attempt to mask anything or in fact knows anything about passwords. Where is this GlobalBuildPassword being defined? If in some other plugin, or other part of your job config, then you must not use the Pass build variables as properties option, since the MSBuild plugin has no way of knowing that some of those variables are intended to be secret. (It could mask all properties it is sending, though this could complicate debugging for the presumably much more frequent case that no secrets are being passed around.) Or pass your password to the job in some other way, not as a build variable.

            Show
            jglick Jesse Glick added a comment - I can find no indication that this plugin makes any attempt to mask anything or in fact knows anything about passwords. Where is this GlobalBuildPassword being defined? If in some other plugin, or other part of your job config, then you must not use the Pass build variables as properties option, since the MSBuild plugin has no way of knowing that some of those variables are intended to be secret. (It could mask all properties it is sending, though this could complicate debugging for the presumably much more frequent case that no secrets are being passed around.) Or pass your password to the job in some other way, not as a build variable.
            Hide
            arpitgold Arpit Nagar added a comment -

            GlobalPassword is declared in Jenkins configuration as Global Password, it may be by plugin envInject.
            It works before upgrading to 1.20 (on 1.16).

            Show
            arpitgold Arpit Nagar added a comment - GlobalPassword is declared in Jenkins configuration as Global Password, it may be by plugin envInject. It works before upgrading to 1.20 (on 1.16).
            Hide
            jglick Jesse Glick added a comment -

            Unfortunately there is no way for the EnvInject plugin to tell other plugins that a particular environment variable it defined was intended to be a password and therefore should not be displayed in command lines and so forth. So you just should not use these features in combination.

            You could use the Plain Credentials plugin (currently in beta on the experimental update center) to pass a password in a file, in which case the environment variable which gets the location (not contents) of that file could pretty safely be converted to a command-line option; the build script would then need to load the password from the defined property.

            I am not sure what exactly would have “worked” in an earlier version of the MSBuild plugin, other than that you might not have even had the option to pass environment variables as properties.

            Show
            jglick Jesse Glick added a comment - Unfortunately there is no way for the EnvInject plugin to tell other plugins that a particular environment variable it defined was intended to be a password and therefore should not be displayed in command lines and so forth. So you just should not use these features in combination. You could use the Plain Credentials plugin (currently in beta on the experimental update center) to pass a password in a file, in which case the environment variable which gets the location (not contents) of that file could pretty safely be converted to a command-line option; the build script would then need to load the password from the defined property. I am not sure what exactly would have “worked” in an earlier version of the MSBuild plugin, other than that you might not have even had the option to pass environment variables as properties.
            Hide
            arpitgold Arpit Nagar added a comment -

            This is critical and issue as by default option is checked and it wrapped in advanced setting. So it will also work if default parameter is marked as unchecked.

            Show
            arpitgold Arpit Nagar added a comment - This is critical and issue as by default option is checked and it wrapped in advanced setting. So it will also work if default parameter is marked as unchecked.
            Hide
            jglick Jesse Glick added a comment -

            Moving out of SECURITY component since the plugin is working as designed and there is no real attack vector here.

            Show
            jglick Jesse Glick added a comment - Moving out of SECURITY component since the plugin is working as designed and there is no real attack vector here.
            Hide
            jglick Jesse Glick added a comment -

            Filed pull #10.

            Show
            jglick Jesse Glick added a comment - Filed pull #10.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/config.jelly
            src/main/webapp/help-BuildVariablesAsProperties.html
            http://jenkins-ci.org/commit/msbuild-plugin/b37dba21830d9343b4d619904ad687428111feb7
            Log:
            JENKINS-19830 Warn about passwords in log.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/config.jelly src/main/webapp/help-BuildVariablesAsProperties.html http://jenkins-ci.org/commit/msbuild-plugin/b37dba21830d9343b4d619904ad687428111feb7 Log: JENKINS-19830 Warn about passwords in log.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/config.jelly
            src/main/webapp/help-BuildVariablesAsProperties.html
            http://jenkins-ci.org/commit/msbuild-plugin/f30df9df32575d31af3211e8f79f5cbea48c69b6
            Log:
            Merge pull request #10 from jglick/mask-args-JENKINS-19830

            [FIXED JENKINS-19830] Warn about passwords in log

            Compare: https://github.com/jenkinsci/msbuild-plugin/compare/b1b89b77e0d8...f30df9df3257

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/config.jelly src/main/webapp/help-BuildVariablesAsProperties.html http://jenkins-ci.org/commit/msbuild-plugin/f30df9df32575d31af3211e8f79f5cbea48c69b6 Log: Merge pull request #10 from jglick/mask-args- JENKINS-19830 [FIXED JENKINS-19830] Warn about passwords in log Compare: https://github.com/jenkinsci/msbuild-plugin/compare/b1b89b77e0d8...f30df9df3257
            Hide
            jglick Jesse Glick added a comment -

            Just discovered AbstractBuild.getSensitiveBuildVariables which I guess could be used for this purpose.

            Show
            jglick Jesse Glick added a comment - Just discovered AbstractBuild.getSensitiveBuildVariables which I guess could be used for this purpose.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/java/hudson/plugins/msbuild/MsBuildBuilder.java
            src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/help-buildVariablesAsProperties.html
            src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/help-buildVariablesAsProperties_fr.html
            http://jenkins-ci.org/commit/msbuild-plugin/03fdb89ecc2dd3a0eb06aae099baf5d90f930f49
            Log:
            Fix JENKINS-19830

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/java/hudson/plugins/msbuild/MsBuildBuilder.java src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/help-buildVariablesAsProperties.html src/main/resources/hudson/plugins/msbuild/MsBuildBuilder/help-buildVariablesAsProperties_fr.html http://jenkins-ci.org/commit/msbuild-plugin/03fdb89ecc2dd3a0eb06aae099baf5d90f930f49 Log: Fix JENKINS-19830

              People

              • Assignee:
                kdsweeney kdsweeney
                Reporter:
                arpitgold Arpit Nagar
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: