Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36007

Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

    Details

    • Similar Issues:

      Description

      On jenkins pipeline i use input with Password param but password is shown on console log

      exemple:
      def userInput = input(
      id: 'userInput', message: 'Let\'s promote?', submitter: 'DL_KATANACLOUD_TEAM', parameters: [
      [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
      ])
      sh ("echo ${userInput['pwd']}")

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin.

            In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself (program.dat), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

            Show
            jglick Jesse Glick added a comment - Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin. In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself ( program.dat ), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                sebglon s├ębastien glon
              • Votes:
                5 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: