Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20002

Build Environment plugin will display paramaterized build paramter of type "password" values

    Details

    • Similar Issues:

      Description

      We had do disable the Build Environment plugin: https://wiki.jenkins-ci.org/display/JENKINS/Build+Environment+Plugin

      We have a parametrized build, one of the parameters is a 'password' type. Jenkins makes other efforts to not show the password in the log. However this plugin shows it plain as day when you click "Environment Variables"

      If this is considered a valid issue, and it is fixed, We would like to know so we can re-enable the plug in

        Attachments

          Issue Links

            Activity

            Hide
            boev Yordan Boev added a comment - - edited

            Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.

            Show
            boev Yordan Boev added a comment - - edited Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.
            Hide
            boev Yordan Boev added a comment -

            The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.

            Show
            boev Yordan Boev added a comment - The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.
            Hide
            jglick Jesse Glick added a comment -

            Recently filed JENKINS-19830 is similar.

            Show
            jglick Jesse Glick added a comment - Recently filed JENKINS-19830 is similar.
            Hide
            jglick Jesse Glick added a comment -

            Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix.

            I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables.

            Show
            jglick Jesse Glick added a comment - Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix. I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables .

              People

              • Assignee:
                boev Yordan Boev
                Reporter:
                alwaystraining Derrick Karimi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: