Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42950

credentials-binding-plugin not masking secret text when it includes a single quote

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I have a Jenkins job to deploy an ansible playbook and I have used the credentials-binding-plugin secret text entries for entering my different environment ansible vault passwords. 2 of my encrypted passwords work fine but one of them has a single quote in the text and it seems to be causing problems with the masking and so that password is showing up in the logs. I tried escaping in the actual text itself but that did not work either.

      I would just change passwords but they are company passwords and not mine to change so please let me know if something can be done to fix the parsing or if there is an immediate workaround for this.

       

      Thanks,

       

      Jeff Mclean

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Sounds like a bug if true. No known workaround.

            Show
            jglick Jesse Glick added a comment - Sounds like a bug if true. No known workaround.
            Hide
            jglick Jesse Glick added a comment -

            Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

            Show
            jglick Jesse Glick added a comment - Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.
            Hide
            cowlinator p cowlinator added a comment -

            I am able to reproduce this issue.  I will post more details in the next comment.

            Show
            cowlinator p cowlinator added a comment - I am able to reproduce this issue.  I will post more details in the next comment.
            Hide
            cowlinator p cowlinator added a comment - - edited

            I get this problem with the following environment:

            Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1. 
            Credentials-binding-plugin version: 1.17. 
            Agent: runs on a Alpine Linux 3.8 docker image

            When running the following pipeline:

            pipeline {
                agent { docker { image 'alpine:3.8' } }
                stages {
                    stage('run_for_ranapas') {
                        steps {
                            withCredentials([usernamePassword(credentialsId: 'quote_pw', usernameVariable: 'USER', passwordVariable: 'PASS')]) {
                                sh '''
                                    echo $USER $PASS
                                '''
                            }
                        }
                    }
                }
            }
            
            

            Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`.

            The result is 

            [Pipeline] withCredentials
            [Pipeline] {
            [Pipeline] sh
            + echo **** 'password'"'"'7'
            **** ****
            
            Show
            cowlinator p cowlinator added a comment - - edited I get this problem with the following environment: Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1.  Credentials-binding-plugin version: 1.17.  Agent: runs on a Alpine Linux 3.8 docker image When running the following pipeline: pipeline { agent { docker { image 'alpine:3.8' } } stages { stage( 'run_for_ranapas' ) { steps { withCredentials([usernamePassword(credentialsId: 'quote_pw' , usernameVariable: 'USER' , passwordVariable: 'PASS' )]) { sh ''' echo $USER $PASS ''' } } } } } Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`. The result is  [Pipeline] withCredentials [Pipeline] { [Pipeline] sh + echo **** 'password' " '" ' 7' **** ****
            Hide
            jglick Jesse Glick added a comment -

            Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with '. Thus

            echo $USER $PASS
            

            is rendered as

            + echo username7 password'"'"'7
            

            rather than simply

            + echo username7 password'7
            

            which I suppose is intended to make it easier for you to copy-paste this line into a new script as

            echo 'username7' 'password'"'"'7'
            

            Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally.

            So either disable echoing with

            set +x
            

            or simply avoid passwords with shell metacharacters, ' especially.

            Show
            jglick Jesse Glick added a comment - Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with ' . Thus echo $USER $PASS is rendered as + echo username7 password ' "' " '7 rather than simply + echo username7 password'7 which I suppose is intended to make it easier for you to copy-paste this line into a new script as echo 'username7' 'password' " '" ' 7' Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally. So either disable echoing with set +x or simply avoid passwords with shell metacharacters, ' especially.
            Hide
            cowlinator p cowlinator added a comment -

            Jesse Glick, can you at least include a note about this in the documentation?

            Show
            cowlinator p cowlinator added a comment - Jesse Glick , can you at least include a note about this in the documentation?
            Hide
            jglick Jesse Glick added a comment -

            Done.

            Show
            jglick Jesse Glick added a comment - Done.

              People

              • Assignee:
                Unassigned
                Reporter:
                jamclean Jeff Mclean
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: