Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27631

Do not even temporarily save secrets in Workflow build record

    Details

    • Similar Issues:

      Description

      Currently when you use withCredentials with e.g. UsernamePasswordMultiBinding, the secret is saved in program.dat for the duration of the block. It is later removed, but it would be safer if it were guaranteed to never be persisted at all. That seems to require an API change: either in EnvVars to allow a given variable to be directly marked as secret and thus to be persisted only via Secret, or by lifting up sensitiveBuildVariables from AbstractBuild to Run, or by allowing BodyInvoker.withContext to provide something like an environment variable factory rather than a raw EnvVars.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Remote Link This issue links to "PR 5 (Web Link)" [ 12186 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-26128 [ JENKINS-26128 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "PR 6 (Web Link)" [ 12202 ]
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-28719 [ JENKINS-28719 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 161843 ] JNJira + In-Review [ 196881 ]
            abayer Andrew Bayer made changes -
            Labels api security workflow api pipeline security workflow
            abayer Andrew Bayer made changes -
            Labels api pipeline security workflow api pipeline security

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: