Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20318

Security leak - passwords are visible in workspace (git / http)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Maven-Jobs with git-SCMs using http-URLs: The credentials are automatically attached to the URL for the remote repository. Thus the password is visible for all users reading the workspace-directory (see attachments).

      I know that the password >has< to be set somewhere. I suggest to force the usage of ~/.netrc. This file is visible for the build admin only!

      Note: This is not identical with JENKINS-4428!

        Attachments

          Activity

          Hide
          ndeloof Nicolas De Loof added a comment -

          .netrc only can be set in $HOME, so you can't get N executors on the same slave to run distinct jobs with various credentials.
          That's a pitty git-cli don't let us pass (lib)curl -u option.

          in-memory git-credentials require dedicated software running on slave, and is tricky for windows users.
          I was considering using file-based git-credentials store https://www.kernel.org/pub/software/scm/git/docs/git-credential-store.html

          git init+fetch to replace git clone is a simpler option at this time - just have discovered a fetch is required after clone anyway, see JENKINS-20502

          Show
          ndeloof Nicolas De Loof added a comment - .netrc only can be set in $HOME, so you can't get N executors on the same slave to run distinct jobs with various credentials. That's a pitty git-cli don't let us pass (lib)curl -u option. in-memory git-credentials require dedicated software running on slave, and is tricky for windows users. I was considering using file-based git-credentials store https://www.kernel.org/pub/software/scm/git/docs/git-credential-store.html git init+fetch to replace git clone is a simpler option at this time - just have discovered a fetch is required after clone anyway, see JENKINS-20502
          Hide
          ndeloof Nicolas De Loof added a comment -

          git-credentials anyway can't be used to clone, as we need a git repository to store (local) git configuration and enable git-credentials support :-\
          so git init + fetch seems to be the best option.

          Show
          ndeloof Nicolas De Loof added a comment - git-credentials anyway can't be used to clone, as we need a git repository to store (local) git configuration and enable git-credentials support :-\ so git init + fetch seems to be the best option.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Nicolas De Loof
          Path:
          src/main/java/hudson/plugins/git/GitSCM.java
          http://jenkins-ci.org/commit/git-plugin/8799a3a374d0e79ff37e91b7bf54fbf494cc9495
          Log:
          JENKINS-20318 prefer git init+fetch
          only use clone when required by advanced behaviors

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: src/main/java/hudson/plugins/git/GitSCM.java http://jenkins-ci.org/commit/git-plugin/8799a3a374d0e79ff37e91b7bf54fbf494cc9495 Log: JENKINS-20318 prefer git init+fetch only use clone when required by advanced behaviors
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Nicolas De Loof
          Path:
          pom.xml
          http://jenkins-ci.org/commit/git-plugin/79e4261e5653825914299a92faf09c8ec5653a83
          Log:
          JENKINS-20318 use git-credentials-store

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: pom.xml http://jenkins-ci.org/commit/git-plugin/79e4261e5653825914299a92faf09c8ec5653a83 Log: JENKINS-20318 use git-credentials-store
          Hide
          markewaite Mark Waite added a comment -

          Is this now resolved? I'm definitely using the credentials plugin successfully with git-client-plugin 1.6.2 and git-plugin 2.0.1.

          Show
          markewaite Mark Waite added a comment - Is this now resolved? I'm definitely using the credentials plugin successfully with git-client-plugin 1.6.2 and git-plugin 2.0.1.

            People

            • Assignee:
              ndeloof Nicolas De Loof
              Reporter:
              chrisabit chrisabit
            • Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: