Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25821

Global Mask Password are visible as a plain text in Environment Variables tab

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Jenkins version 1.591
      Mask Password plugin version - 2.7.2
      Environment Injector Plugin - 1.9
    • Similar Issues:

      Description

      Global Mask password are visible as a plain text in Environment Variables tab.
      You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.

      Password which are passed to job as a Password parameter are coded in this tab.

        Attachments

          Issue Links

            Activity

            Hide
            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited

            Off-Topic Response:
            Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.

            When I do "Execute Windows batch command"
            @echo off
            echo MASKED_PASSWORD:%MASKED_PASSWORD%
            echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt

            I get this:
            Jenkins console output -> MASKEDPASSWORD:********
            File contents -> MASKEDPASSWORD:1234567890qwertyuiop

            When I do "Invoke Gradle script"
            class MaskedPasswords {
            static void main(String[] args) {
            println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
            def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
            if(file.exists())

            { file.delete() }

            file.withWriter('utf-8') {
            it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
            }
            }
            }

            I get this:
            Jenkins console output -> MASKED_PASSWORD: ********
            File Contents -> MASKED_PASSWORD: ********

            So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.

            Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...

            Show
            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited Off-Topic Response: Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin. When I do "Execute Windows batch command" @echo off echo MASKED_PASSWORD:%MASKED_PASSWORD% echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt I get this: Jenkins console output -> MASKEDPASSWORD:******** File contents -> MASKEDPASSWORD:1234567890qwertyuiop When I do "Invoke Gradle script" class MaskedPasswords { static void main(String[] args) { println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt") if(file.exists()) { file.delete() } file.withWriter('utf-8') { it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" } } } I get this: Jenkins console output -> MASKED_PASSWORD: ******** File Contents -> MASKED_PASSWORD: ******** So using it via Groovy script gets the *'s vs 1234567890qwertyuiop. Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...
            Hide
            betaprogrammers_mstruensee Matthew Struensee added a comment -

            Is this above the intended design?

            Show
            betaprogrammers_mstruensee Matthew Struensee added a comment - Is this above the intended design?
            Hide
            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited

            I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.

            Thanks.

            Show
            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you. Thanks.
            Hide
            oleg_nenashev Oleg Nenashev added a comment - - edited

            @Matthew Struensee
            I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)

            Show
            oleg_nenashev Oleg Nenashev added a comment - - edited @Matthew Struensee I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)
            Hide
            betaprogrammers_mstruensee Matthew Struensee added a comment -

            Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

            Show
            betaprogrammers_mstruensee Matthew Struensee added a comment - Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

              People

              • Assignee:
                gbois Gregory Boissinot
                Reporter:
                trwandrzej Andrzej Obstoj
              • Votes:
                8 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: