Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43872

Dollar signs in credentials or literal value env vars cause issues in environment in Declarative

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I'm still figuring out all the details, but if you've got an environment directive like this:

      environment {
        SOME_VAR = credentials('some-creds')
        SOME_OTHER_VAR = "Look, I contain ${SOME_VAR}"
      }
      

      where SOME_VAR ends up containing something like $VARIABLES somewhere in it, you get an error like:

      [test1 #1] groovy.lang.MissingPropertyException: No such property: VARIABLES for class: groovy.lang.Binding
      [test1 #1] 	at groovy.lang.Binding.getVariable(Binding.java:63)
      [test1 #1] 	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:224)
      [test1 #1] 	at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241)
      [test1 #1] 	at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238)
      [test1 #1] 	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:28)
      [test1 #1] 	at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:20)
      [test1 #1] 	at Script1.run(Script1.groovy:1)
      [test1 #1] 	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.withEnvBlock(/Users/abayer/IdeaProjects/pipeline-config-plugin/pipeline-model-definition/target/classes/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy:216)
      [test1 #1] 	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.call(/Users/abayer/IdeaProjects/pipeline-config-plugin/pipeline-model-definition/target/classes/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy:75)
      [test1 #1] 	at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.inDeclarativeAgent(/Users/abayer/IdeaProjects/pipeline-config-plugin/pipeline-model-definition/target/classes/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy:361)
      ...
      

      Additionally, a $ on its own gets you a different error, but the underlying problem is the same - we're not escaping things properly.

        Attachments

          Issue Links

            Activity

            Hide
            abayer Andrew Bayer added a comment -

            PR up at https://github.com/jenkinsci/pipeline-model-definition-plugin/pull/155 - Stephen Donner - I'd still very much love to know what the string is in your example where you hit this, to make sure there's not some additional escaping needed.

            Show
            abayer Andrew Bayer added a comment - PR up at https://github.com/jenkinsci/pipeline-model-definition-plugin/pull/155 - Stephen Donner - I'd still very much love to know what the string is in your example where you hit this, to make sure there's not some additional escaping needed.
            Hide
            stephendonner Stephen Donner added a comment - - edited

            I've just attached an obfuscated (in values, not fields or format) "credentials.json" file which we store and load in via the Config File Provider Plugin, and our Jenkinsfile balks on.

            We're not currently experiencing this in our master branch[0], but are in a proposed branch[1], where we were trying out the fix for JENKINS-42858.

            Here's our stack trace: https://gist.github.com/stephendonner/9bc743b5ff257bfce9fd6ff855dc0248

            [0] https://github.com/mozilla/mozillians-tests/blob/fca5cc57677cc239ba387a566df01db04aed2edd/Jenkinsfile#L18
            [1] https://github.com/stephendonner/mozillians-tests/blob/3b1f6450d1b7461caca9b7ffc1991f3ffd164360/Jenkinsfile

            Show
            stephendonner Stephen Donner added a comment - - edited I've just attached an obfuscated (in values, not fields or format) "credentials.json" file which we store and load in via the Config File Provider Plugin, and our Jenkinsfile balks on. We're not currently experiencing this in our master branch [0] , but are in a proposed branch [1] , where we were trying out the fix for JENKINS-42858 . Here's our stack trace: https://gist.github.com/stephendonner/9bc743b5ff257bfce9fd6ff855dc0248 [0] https://github.com/mozilla/mozillians-tests/blob/fca5cc57677cc239ba387a566df01db04aed2edd/Jenkinsfile#L18 [1] https://github.com/stephendonner/mozillians-tests/blob/3b1f6450d1b7461caca9b7ffc1991f3ffd164360/Jenkinsfile
            Hide
            davehunt Dave Hunt added a comment - - edited

            Something doesn't seem right here.. we're not using the Config File Provider plugin (though, we used to). We're defining a "secret file" credential with contents similar to those Stephen Donner attached to this issue. We then want to pass the path of this file to our test command within our pipeline, and we do that by adding it to an environment variable.

            environment {
              CREDENTIALS_PATH = credentials('MY_SECRET_FILE') // this should result in CREDENTIALS_PATH containing the path to the file
              ARGS = "--path=${CREDENTIALS_PATH}" // this should result in ARGS containing the path within CREDENTIALS_PATH
            Show
            davehunt Dave Hunt added a comment - - edited Something doesn't seem right here.. we're not using the Config File Provider plugin (though, we used to). We're defining a "secret file" credential with contents similar to those Stephen Donner attached to this issue. We then want to pass the path of this file to our test command within our pipeline, and we do that by adding it to an environment variable. environment { CREDENTIALS_PATH = credentials( 'MY_SECRET_FILE' ) // this should result in CREDENTIALS_PATH containing the path to the file ARGS = "--path=${CREDENTIALS_PATH}" // this should result in ARGS containing the path within CREDENTIALS_PATH
            Hide
            abayer Andrew Bayer added a comment -

            Interesting. That's a different problem, then. I'll dig into it.

            Show
            abayer Andrew Bayer added a comment - Interesting. That's a different problem, then. I'll dig into it.
            Hide
            abayer Andrew Bayer added a comment - - edited

            Oh waaaaaait. I think I may know what it is - we're evaluating the environment before we're in the node block on the agent so the FileCredentials aren't resolving yet. Lemme see what I can do. EDIT: I may be wrong about that. But I shall experiment anyway.

            Show
            abayer Andrew Bayer added a comment - - edited Oh waaaaaait. I think I may know what it is - we're evaluating the environment before we're in the node block on the agent so the FileCredentials aren't resolving yet. Lemme see what I can do. EDIT: I may be wrong about that. But I shall experiment anyway.
            Hide
            abayer Andrew Bayer added a comment -

            Bingo - Dave Hunt, Stephen Donner - JENKINS-43910 is your bug and I'm on it.

            Show
            abayer Andrew Bayer added a comment - Bingo - Dave Hunt , Stephen Donner - JENKINS-43910 is your bug and I'm on it.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andrew Bayer
            Path:
            pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/Utils.groovy
            pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/model/Environment.groovy
            pipeline-model-definition/src/main/resources/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/EnvironmentTest.java
            pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/steps/CredentialWrapperStepTest.java
            pipeline-model-definition/src/test/resources/credentialsDollarQuotes.groovy
            pipeline-model-definition/src/test/resources/envDollarQuotes.groovy
            pipeline-model-definition/src/test/resources/environmentCrossReferences.groovy
            http://jenkins-ci.org/commit/pipeline-model-definition-plugin/602a93d39a67ab263657970fa305a2d517576cf1
            Log:
            [FIXED JENKINS-43872] Properly escape dollar signs in env evaluation

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/Utils.groovy pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/model/Environment.groovy pipeline-model-definition/src/main/resources/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/EnvironmentTest.java pipeline-model-definition/src/test/java/org/jenkinsci/plugins/pipeline/modeldefinition/steps/CredentialWrapperStepTest.java pipeline-model-definition/src/test/resources/credentialsDollarQuotes.groovy pipeline-model-definition/src/test/resources/envDollarQuotes.groovy pipeline-model-definition/src/test/resources/environmentCrossReferences.groovy http://jenkins-ci.org/commit/pipeline-model-definition-plugin/602a93d39a67ab263657970fa305a2d517576cf1 Log: [FIXED JENKINS-43872] Properly escape dollar signs in env evaluation
            Hide
            abayer Andrew Bayer added a comment -

            Released in 1.1.4 just now!

            Show
            abayer Andrew Bayer added a comment - Released in 1.1.4 just now!
            Hide
            mkj Michal Matyjek added a comment -

            I'm still investigating, but looks like this change broke something in our pipeline.

            Had this working in 1.1.3:
            environment {
            GOPATH='${WORKSPACE}'
            ...
             
            with 1.1.4 go is now throwing:
            go: GOPATH entry is relative; must be absolute path: "${WORKSPACE}".
             
             

            Show
            mkj Michal Matyjek added a comment - I'm still investigating, but looks like this change broke something in our pipeline. Had this working in 1.1.3: environment { GOPATH='${WORKSPACE}' ...   with 1.1.4 go is now throwing: go: GOPATH entry is relative; must be absolute path: "${WORKSPACE}".    
            Hide
            mkj Michal Matyjek added a comment -

            Looks like it's the quotes:

            GOPATH='${WORKSPACE}' worked until 1.1.3, does not work in 1.1.4
            GOPATH="${WORKSPACE}" works in 1.1.4...
             

            Show
            mkj Michal Matyjek added a comment - Looks like it's the quotes: GOPATH='${WORKSPACE}' worked until 1.1.3, does not work in 1.1.4 GOPATH="${WORKSPACE}" works in 1.1.4...  

              People

              • Assignee:
                abayer Andrew Bayer
                Reporter:
                abayer Andrew Bayer
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: