Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43814

Password parameters should be hidden in pipeline logs by default

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      In a pipeline script when a developer uses `withCredentials` credentials are hidden in logs to reduces the chance of accidental disclosure (see JENKINS-38181)

      When using a password parameter in a job the same concept should be applied to it and it should be impossible to display its value in logs

      A work-around is to use the MaskPasswordsBuildWrapper but it has to be manually done (and it's a bit crappy)

      node {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: "${myPassword}", var: 'PASSWORD']]]) {
         println myPassword
         sh 'echo "Hello World ${myPassword}"'
        }
      }

       

       

      .

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            do you mean MaskPasswordsBuildWrapper could be replicated in Declarative?

            No, just to have Declarative notice that you have a password parameter and automatically do the boilerplate to mask its value.

            Show
            jglick Jesse Glick added a comment - do you mean  MaskPasswordsBuildWrapper  could be replicated in Declarative? No, just to have Declarative notice that you have a password parameter and automatically do the boilerplate to mask its value.
            Hide
            cstroe Cosmin Stroe added a comment - - edited

            Any reason why the contents of a password parameter aren't automatically filtered out from console logs? That is, is there a technical reason? or is it just that noone's implemented the feature yet?

            Show
            cstroe Cosmin Stroe added a comment - - edited Any reason why the contents of a password parameter aren't automatically filtered out from console logs? That is, is there a technical reason? or is it just that noone's implemented the feature yet?
            Hide
            jglick Jesse Glick added a comment -

            No one has implemented such a feature (or proposed a mechanism by which it could be implemented).

            Show
            jglick Jesse Glick added a comment - No one has implemented such a feature (or proposed a mechanism by which it could be implemented).
            Hide
            jglick Jesse Glick added a comment -

            HOSTING-679 claims to implement something like this.

            Show
            jglick Jesse Glick added a comment - HOSTING-679 claims to implement something like this.
            Hide
            jglick Jesse Glick added a comment -

            proposed a mechanism by which it could be implemented

            This is actually possible now via TaskListenerDecorator, I think.

            Show
            jglick Jesse Glick added a comment - proposed a mechanism by which it could be implemented This is actually possible now via TaskListenerDecorator , I think.

              People

              • Assignee:
                Unassigned
                Reporter:
                aheritier Arnaud Héritier
              • Votes:
                3 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: