Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20002

Build Environment plugin will display paramaterized build paramter of type "password" values

    Details

    • Similar Issues:

      Description

      We had do disable the Build Environment plugin: https://wiki.jenkins-ci.org/display/JENKINS/Build+Environment+Plugin

      We have a parametrized build, one of the parameters is a 'password' type. Jenkins makes other efforts to not show the password in the log. However this plugin shows it plain as day when you click "Environment Variables"

      If this is considered a valid issue, and it is fixed, We would like to know so we can re-enable the plug in

        Attachments

          Issue Links

            Activity

            alwaystraining Derrick Karimi created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Project Security Issues [ 10180 ] Jenkins [ 10172 ]
            Key SECURITY-97 JENKINS-20002
            Workflow jira [ 151470 ] JNJira [ 151524 ]
            Component/s build-environment [ 17667 ]
            Component/s plugins [ 17329 ]
            Hide
            jglick Jesse Glick added a comment -

            Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix.

            I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables.

            Show
            jglick Jesse Glick added a comment - Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix. I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables .
            jglick Jesse Glick made changes -
            Labels security
            Hide
            jglick Jesse Glick added a comment -

            Recently filed JENKINS-19830 is similar.

            Show
            jglick Jesse Glick added a comment - Recently filed JENKINS-19830 is similar.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-19830 [ JENKINS-19830 ]
            Hide
            boev Yordan Boev added a comment -

            The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.

            Show
            boev Yordan Boev added a comment - The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.
            boev Yordan Boev made changes -
            Assignee Kohsuke Kawaguchi [ kohsuke ] Yordan Boev [ boev ]
            boev Yordan Boev made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            boev Yordan Boev added a comment - - edited

            Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.

            Show
            boev Yordan Boev added a comment - - edited Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.
            boev Yordan Boev made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Fix Version/s current [ 10162 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 151524 ] JNJira + In-Review [ 193944 ]

              People

              • Assignee:
                boev Yordan Boev
                Reporter:
                alwaystraining Derrick Karimi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: