Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27869

entered SCM password should be masked in output

    Details

    • Similar Issues:

      Description

      I've a issue with password disclosure when using the M2 Release Plugin and entering the password.

      During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.

      As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:

      <===[JENKINS REMOTING CAPACITY]===>channel started
      
      Executing Maven:  -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=*********
      
      [INFO] Scanning for projects...
      
      [INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module ---
      ...
      ===============================================================================
      System Properties
      ===============================================================================
      
      JOB_NAME=am-test
      ...
      
      password=mysecretpassword
      
      ...
      

      see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)

        Attachments

          Activity

          Hide
          teilo James Nord added a comment -

          maven-release-plugin should not by default show the password - so this is an issue with the upstream plugin.

          Will attempt to see if a workaround is possible

          Show
          teilo James Nord added a comment - maven-release-plugin should not by default show the password - so this is an issue with the upstream plugin. Will attempt to see if a workaround is possible
          Hide
          ahammar Anders Hammar added a comment -

          The same will happen if "SCM password environment variable" is configured.

          The thing with the output above is that the maven-help-plugin prints all environment variables as part of the Maven build execution. If the Jenkins m2release plugin could mask that it would be great.

          However, that is not the only problem as these passwords are also revealed as part of the Jenkins Maven plugin: JENKINS-4428

          Show
          ahammar Anders Hammar added a comment - The same will happen if "SCM password environment variable" is configured. The thing with the output above is that the maven-help-plugin prints all environment variables as part of the Maven build execution. If the Jenkins m2release plugin could mask that it would be great. However, that is not the only problem as these passwords are also revealed as part of the Jenkins Maven plugin: JENKINS-4428
          Hide
          jglick Jesse Glick added a comment -

          I think this is rather a bug in maven-release-plugin. It should be forking a child process in a way that does not involve printing the password to stdout.

          Show
          jglick Jesse Glick added a comment - I think this is rather a bug in maven-release-plugin . It should be forking a child process in a way that does not involve printing the password to stdout.
          Hide
          recampbell Ryan Campbell added a comment -

          It looks like the upstream bug in maven-release-plugin is fixed.

          https://issues.apache.org/jira/browse/SCM-811

          Since the fix is from May of this year, I'm closing this as Invalid/Won't Fix.

          Show
          recampbell Ryan Campbell added a comment - It looks like the upstream bug in maven-release-plugin is fixed. https://issues.apache.org/jira/browse/SCM-811 Since the fix is from May of this year, I'm closing this as Invalid/Won't Fix.
          Hide
          andreasmandel Andreas Mandel added a comment -

          Why not store the password parameter as PasswordParameterValue so that it can be handled as such?

          Anders Hammar Sorry I did not get this before, you can use the Password Mask functionality of the EnvInject or the Mask Passwords Plugin.

          Show
          andreasmandel Andreas Mandel added a comment - Why not store the password parameter as PasswordParameterValue so that it can be handled as such? Anders Hammar Sorry I did not get this before, you can use the Password Mask functionality of the EnvInject or the Mask Passwords Plugin .

            People

            • Assignee:
              teilo James Nord
              Reporter:
              andreasmandel Andreas Mandel
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: