Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27382

EnvInjectPluginAction::buildEnvVars() injects masks instead of passwords to the environment

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I created a local and global password.
      In a shell step the password can be used successfully.
      In the next build step of my build I have the Gradle plugin, the password arrives as asterisks.

      As a work-around I have switched to use the MaskPassword plugin.

      Test Script build.gradle:

      task showGlobalEnv << {
      println '\''Test match:'\'' + (System.env.TEST_ENV == 'T123')
      System.env.TEST_ENV.each

      { println it }

      }

      Output from version 1.90 (successful):
      Test match:true
      T
      1
      2
      3

      Output from version 1.91 (failure):
      Test match:false
      *
      *
      *
      *
      *
      *
      *
      *

        Attachments

          Issue Links

            Activity

            Hide
            fnawroth_bp Felix Nawroth added a comment -

            The same happens with envinject 1.91.1 and maven 2.8/2.9, Jenkins 1.596.2. No difference whether the password is defined locally or globally.

            Passing the passwords as JVM parameters works (-Dsecret=${PASSWD_VAR}, while accessing the environment variable in Maven does not and will yield asterisks instead.

            Show
            fnawroth_bp Felix Nawroth added a comment - The same happens with envinject 1.91.1 and maven 2.8/2.9, Jenkins 1.596.2. No difference whether the password is defined locally or globally. Passing the passwords as JVM parameters works (-Dsecret=${PASSWD_VAR}, while accessing the environment variable in Maven does not and will yield asterisks instead.
            Hide
            kmayfiel_ibm Kevin Mayfield added a comment -

            I experienced the same when invoking Gradle with the Gradle plugin, and options of -Pmvn_password=${MVN_PASSWORD}.
            Reverted back to 1.90 to solve problem.

            Show
            kmayfiel_ibm Kevin Mayfield added a comment - I experienced the same when invoking Gradle with the Gradle plugin, and options of -Pmvn_password=${MVN_PASSWORD}. Reverted back to 1.90 to solve problem.
            Hide
            kmayfiel_ibm Kevin Mayfield added a comment -

            Problem still exists in 1.91.2

            Show
            kmayfiel_ibm Kevin Mayfield added a comment - Problem still exists in 1.91.2
            Hide
            aleksandr85 Aleksandr Borovkov added a comment -

            Problems still exists in 1.91.3
            The password arrives as asterisks use msbuild plugin.
            Reverted back to 1.90 to solve problem

            Show
            aleksandr85 Aleksandr Borovkov added a comment - Problems still exists in 1.91.3 The password arrives as asterisks use msbuild plugin. Reverted back to 1.90 to solve problem
            Hide
            it12lsp Christian Häussler added a comment -

            +1

            Show
            it12lsp Christian Häussler added a comment - +1
            Hide
            christek91 Christopher Miller added a comment -

            We just upgraded from 1.90 to 1.94 and the problem cropped up. Going to rollback to 1.90. This makes the sensitive variable functionality useless outside of the Execute Shell step. The password is passed as **** to all other plugins that make use of the EnvVars object.

            Show
            christek91 Christopher Miller added a comment - We just upgraded from 1.90 to 1.94 and the problem cropped up. Going to rollback to 1.90. This makes the sensitive variable functionality useless outside of the Execute Shell step. The password is passed as **** to all other plugins that make use of the EnvVars object.
            Hide
            schristou Steven Christou added a comment -

            I believe this is a regression from commit d50c5. I did a git checkout for each commit between 1.90, and 1.91, and found this commit to inject the * characters.

            Show
            schristou Steven Christou added a comment - I believe this is a regression from commit d50c5 . I did a git checkout for each commit between 1.90, and 1.91, and found this commit to inject the * characters.
            Hide
            recena Manuel Recena Soto added a comment - - edited

            Marcus Collins

            I've tried to reproduce the bug in this environment: Jenkins ver. 1.532.3, Gradle Plugin 1.24 and EnvInject Plugin 1.92 (latest release).

            With this build.gradle and Gradle 2.5:

            task showGlobalEnv << {
                println 'Test match:' + (System.env.TEST_ENV == 'T123')
                System.env.TEST_ENV.each {
                    println it
                }
            }
            

            I get this result:

            recena@andromeda:~/projects/gradle-helloworld$ gradle -b build.gradle showGlobalEnv
            :showGlobalEnv
            Test match:false
            
            BUILD SUCCESSFUL
            
            Total time: 4.227 secs
            

            Probably, I'm doing something wrong. Any idea?

            My test

            Anyway, I've configure the following FreeStyleJob:

            1. Git repo: https://github.com/recena/gradle-helloworld
            2. Checks the option Inject environment variables to the build process
              1. In Properties Content field I've defined: VAR=VAR2
            3. Checks the option Inject passwords to the build as environment variables
              1. Checks the option Global passwords because I've defined also a global password: PASSWORDGLOBAL=PASSWORDGLOBAL
              2. Note: I have to investigate if "Mask password parameters" option is working how it expect. Done
            4. Adds a Gradle Build step:
              1. Uses the option Invoke Gradle and selects Gradle 2.5
              2. In Tasks field I've define the name of our task: showGlobalEnv
            5. Adds a SHELL step with:
              echo $VAR
              echo $PASSWORDLOCAL
              echo $PASSWORDGLOBAL
              
            Console output
            [EnvInject] - Inject global passwords.
            Started by user anonymous
            [EnvInject] - Loading node environment variables.
            Building in workspace /home/recena/projects/envinject-plugin/work/jobs/JENKINS-27382/workspace
             > git rev-parse --is-inside-work-tree # timeout=10
            Fetching changes from the remote Git repository
             > git config remote.origin.url https://github.com/recena/gradle-helloworld.git # timeout=10
            Fetching upstream changes from https://github.com/recena/gradle-helloworld.git
             > git --version # timeout=10
             > git -c core.askpass=true fetch --tags --progress https://github.com/recena/gradle-helloworld.git +refs/heads/*:refs/remotes/origin/*
            
             > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
             > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
            Checking out Revision b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 (refs/remotes/origin/master)
             > git config core.sparsecheckout # timeout=10
             > git checkout -f b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5
             > git rev-list b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 # timeout=10
            [EnvInject] - Executing scripts and injecting environment variables after the SCM step.
            [EnvInject] - Injecting as environment variables the properties content 
            VAR=VAR1
            
            [EnvInject] - Variables injected successfully.
            [Gradle] - Launching build.
            [workspace] $ /home/recena/projects/envinject-plugin/work/tools/hudson.plugins.gradle.GradleInstallation/Gradle_2.6/bin/gradle ******** ******** showGlobalEnv
            
            :showGlobalEnv
            VAR was injected using the field "Properties Content": VAR1
            V
            A
            R
            1
            PASSWORDLOCAL was injected using the option "Inject passwords": ********
            *
            *
            *
            *
            *
            *
            *
            *
            PASSWORDGLOBAL was injected using the option "Inject passwords": ********
            *
            *
            *
            *
            *
            *
            *
            *
            
            BUILD SUCCESSFUL
            
            Total time: 2.554 secs
            
            This build could be faster, please consider using the Gradle Daemon: https://docs.gradle.org/2.6/userguide/gradle_daemon.html
            Build step 'Invoke Gradle script' changed build result to SUCCESS
            [workspace] $ /bin/sh -xe /tmp/hudson5969723979230846787.sh
            
            + echo VAR1
            VAR1
            + echo ****
            ****
            + echo ****
            ****
            Finished: SUCCESS
            
            Environment Variables (URL: JOB_NAME/BUILD_ID/injectedEnvVars/)
            • VAR=VAR1
            • PASSWORDLOCAL=********
            • PASSWORDGLOBAL=********
            Environment Variables (FILESYSTEM: jobs/JOB_NAME/lastSuccessful/injectedEnvVars.txt)
            VAR=VAR1
            PASSWORDGLOBAL=********
            PASSWORDLOCAL=********
            

            /cc Steven Christou

            Show
            recena Manuel Recena Soto added a comment - - edited Marcus Collins I've tried to reproduce the bug in this environment: Jenkins ver. 1.532.3, Gradle Plugin 1.24 and EnvInject Plugin 1.92 (latest release). With this build.gradle and Gradle 2.5: task showGlobalEnv << { println 'Test match:' + ( System .env.TEST_ENV == 'T123' ) System .env.TEST_ENV.each { println it } } I get this result: recena@andromeda:~/projects/gradle-helloworld$ gradle -b build.gradle showGlobalEnv :showGlobalEnv Test match: false BUILD SUCCESSFUL Total time: 4.227 secs Probably, I'm doing something wrong. Any idea? My test Anyway, I've configure the following FreeStyleJob: Git repo: https://github.com/recena/gradle-helloworld Checks the option Inject environment variables to the build process In Properties Content field I've defined: VAR=VAR2 Checks the option Inject passwords to the build as environment variables Checks the option Global passwords because I've defined also a global password: PASSWORDGLOBAL=PASSWORDGLOBAL Note: I have to investigate if "Mask password parameters" option is working how it expect. Done Adds a Gradle Build step: Uses the option Invoke Gradle and selects Gradle 2.5 In Tasks field I've define the name of our task: showGlobalEnv Adds a SHELL step with: echo $VAR echo $PASSWORDLOCAL echo $PASSWORDGLOBAL Console output [EnvInject] - Inject global passwords. Started by user anonymous [EnvInject] - Loading node environment variables. Building in workspace /home/recena/projects/envinject-plugin/work/jobs/JENKINS-27382/workspace > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url https: //github.com/recena/gradle-helloworld.git # timeout=10 Fetching upstream changes from https: //github.com/recena/gradle-helloworld.git > git --version # timeout=10 > git -c core.askpass= true fetch --tags --progress https: //github.com/recena/gradle-helloworld.git +refs/heads/*:refs/remotes/origin/* > git rev-parse refs/remotes/origin/master^{commit} # timeout=10 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10 Checking out Revision b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 (refs/remotes/origin/master) > git config core.sparsecheckout # timeout=10 > git checkout -f b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 > git rev-list b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 # timeout=10 [EnvInject] - Executing scripts and injecting environment variables after the SCM step. [EnvInject] - Injecting as environment variables the properties content VAR=VAR1 [EnvInject] - Variables injected successfully. [Gradle] - Launching build. [workspace] $ /home/recena/projects/envinject-plugin/work/tools/hudson.plugins.gradle.GradleInstallation/Gradle_2.6/bin/gradle ******** ******** showGlobalEnv :showGlobalEnv VAR was injected using the field "Properties Content" : VAR1 V A R 1 PASSWORDLOCAL was injected using the option "Inject passwords" : ******** * * * * * * * * PASSWORDGLOBAL was injected using the option "Inject passwords" : ******** * * * * * * * * BUILD SUCCESSFUL Total time: 2.554 secs This build could be faster, please consider using the Gradle Daemon: https: //docs.gradle.org/2.6/userguide/gradle_daemon.html Build step 'Invoke Gradle script' changed build result to SUCCESS [workspace] $ /bin/sh -xe /tmp/hudson5969723979230846787.sh + echo VAR1 VAR1 + echo **** **** + echo **** **** Finished: SUCCESS Environment Variables (URL: JOB_NAME/BUILD_ID/injectedEnvVars/) VAR=VAR1 PASSWORDLOCAL=******** PASSWORDGLOBAL=******** Environment Variables (FILESYSTEM: jobs/JOB_NAME/lastSuccessful/injectedEnvVars.txt) VAR=VAR1 PASSWORDGLOBAL=******** PASSWORDLOCAL=******** /cc Steven Christou
            Hide
            recena Manuel Recena Soto added a comment - - edited

            Reading the changelog I've understood how Mask password parameters should work.

            Show
            recena Manuel Recena Soto added a comment - - edited Reading the changelog I've understood how Mask password parameters should work.
            Hide
            recena Manuel Recena Soto added a comment -

            Marcus Collins, I'd need feedback to understand where is the bug.

            Show
            recena Manuel Recena Soto added a comment - Marcus Collins , I'd need feedback to understand where is the bug.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The issue is in these two methods: https://github.com/jenkinsci/envinject-plugin/blob/master/src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java#L46-L63

            Nicolas modified getEnvInjectVarList() in order to prevent the vars exposure to getTarget(). buildEnvVars() also uses this method => "********" sneak to environment variables in some cases

            Show
            oleg_nenashev Oleg Nenashev added a comment - The issue is in these two methods: https://github.com/jenkinsci/envinject-plugin/blob/master/src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java#L46-L63 Nicolas modified getEnvInjectVarList() in order to prevent the vars exposure to getTarget(). buildEnvVars() also uses this method => "********" sneak to environment variables in some cases
            Hide
            recena Manuel Recena Soto added a comment -

            Oleg Nenashev Thanks for your clue.

            A PR have been sent.

            Show
            recena Manuel Recena Soto added a comment - Oleg Nenashev Thanks for your clue. A PR have been sent.
            Hide
            oleg_nenashev Oleg Nenashev added a comment - - edited

            Adjusted the issue title. my gut-feeling is that many other issues can be closed as duplicates

            Show
            oleg_nenashev Oleg Nenashev added a comment - - edited Adjusted the issue title. my gut-feeling is that many other issues can be closed as duplicates
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java
            http://jenkins-ci.org/commit/envinject-plugin/d0cfe58eb9f57b31b93ea6add47c43eb1cbc6728
            Log:
            Merge pull request #65 from recena/JENKINS-27382

            JENKINS-27382 EnvInjectPluginAction::buildEnvVars() injects masks instead of passwords to the environment

            Compare: https://github.com/jenkinsci/envinject-plugin/compare/3dcf5aee55ab...d0cfe58eb9f5

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/d0cfe58eb9f57b31b93ea6add47c43eb1cbc6728 Log: Merge pull request #65 from recena/ JENKINS-27382 JENKINS-27382 EnvInjectPluginAction::buildEnvVars() injects masks instead of passwords to the environment Compare: https://github.com/jenkinsci/envinject-plugin/compare/3dcf5aee55ab...d0cfe58eb9f5
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Created JENKINS-30090 for tests.
            The fix has been relelased in 1.92.1

            Show
            oleg_nenashev Oleg Nenashev added a comment - Created JENKINS-30090 for tests. The fix has been relelased in 1.92.1

              People

              • Assignee:
                recena Manuel Recena Soto
                Reporter:
                mbtc Marcus Collins
              • Votes:
                9 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: