Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27631

Do not even temporarily save secrets in Workflow build record

    Details

    • Similar Issues:

      Description

      Currently when you use withCredentials with e.g. UsernamePasswordMultiBinding, the secret is saved in program.dat for the duration of the block. It is later removed, but it would be safer if it were guaranteed to never be persisted at all. That seems to require an API change: either in EnvVars to allow a given variable to be directly marked as secret and thus to be persisted only via Secret, or by lifting up sensitiveBuildVariables from AbstractBuild to Run, or by allowing BodyInvoker.withContext to provide something like an environment variable factory rather than a raw EnvVars.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9
            Log:
            JENKINS-27631 But demonstrating that it is stored temporarily.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9 Log: JENKINS-27631 But demonstrating that it is stored temporarily.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3
            Log:
            Merge pull request #5 from jglick/stronger-tests

            JENKINS-27631 Stronger tests

            Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3 Log: Merge pull request #5 from jglick/stronger-tests JENKINS-27631 Stronger tests Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java
            http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f
            Log:
            Merge pull request #106 from jglick/SecretPickle-JENKINS-27631

            JENKINS-27631 Added SecretPickle

            Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f Log: Merge pull request #106 from jglick/SecretPickle- JENKINS-27631 JENKINS-27631 Added SecretPickle Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8
            Log:
            [FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8 Log: [FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: