Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-4428

MavenProbeAction exposes password parameters

    Details

    • Similar Issues:

      Description

      Password parameters of Hudson jobs are visible in plain form when the job is
      running. Look to "Monitor Maven Process/Environment Variables" view.

        Attachments

          Issue Links

            Activity

            rtlusty rtlusty created issue -
            Hide
            rtlusty rtlusty added a comment -

            switched to "parameters" subcomponent (may be it fits better)

            Show
            rtlusty rtlusty added a comment - switched to "parameters" subcomponent (may be it fits better)
            Hide
            mambu Marco Ambu added a comment -

            The password parameter is visible also when the build is waiting in the queue
            and you pass the mouse over the job.

            Show
            mambu Marco Ambu added a comment - The password parameter is visible also when the build is waiting in the queue and you pass the mouse over the job.
            mdonohue mdonohue made changes -
            Field Original Value New Value
            Link This issue is duplicated by JENKINS-5085 [ JENKINS-5085 ]
            mdonohue mdonohue made changes -
            Link This issue is duplicated by JENKINS-4964 [ JENKINS-4964 ]
            mdonohue mdonohue made changes -
            Link This issue is duplicated by JENKINS-5757 [ JENKINS-5757 ]
            Hide
            daiglebagel Logan Daigle added a comment -

            This issue is still occurring. I am running version 1.471 of the Jenkins service. I have installed the password masking plugin. This effectively removes the passwords from any log files, but if a job that takes a password as a parameter is waiting in the queue and you hover over the hyperlink, the password is shown. This is NOT good. The shows my active directory password to anyone else that hovers over this link and may give someone access to a network resource that they would not otherwise have access to. PLEASE FIX!

            Show
            daiglebagel Logan Daigle added a comment - This issue is still occurring. I am running version 1.471 of the Jenkins service. I have installed the password masking plugin. This effectively removes the passwords from any log files, but if a job that takes a password as a parameter is waiting in the queue and you hover over the hyperlink, the password is shown. This is NOT good. The shows my active directory password to anyone else that hovers over this link and may give someone access to a network resource that they would not otherwise have access to. PLEASE FIX!
            daiglebagel Logan Daigle made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            Component/s security [ 15508 ]
            lostinberlin Steve Boardwell made changes -
            Link This issue is duplicated by JENKINS-19724 [ JENKINS-19724 ]
            oleg_nenashev Oleg Nenashev made changes -
            Component/s core [ 15593 ]
            Component/s mask-passwords [ 15761 ]
            Component/s parameters [ 15594 ]
            Hide
            kopfwunde Jan Seidel added a comment -

            In fact the unencrypted credentials are also seen in "Some job# in the build history" -> "Environment variables".
            THIS is very in convenient. We are trying to lock down our build system to prevent unauthorized access to our infrastructure.
            But anybody with legit access to Jenkins can get the information there :/

            Show
            kopfwunde Jan Seidel added a comment - In fact the unencrypted credentials are also seen in "Some job# in the build history" -> "Environment variables". THIS is very in convenient. We are trying to lock down our build system to prevent unauthorized access to our infrastructure. But anybody with legit access to Jenkins can get the information there :/
            Hide
            jglick Jesse Glick added a comment -

            Jan Seidel your issue sounds like JENKINS-23447.

            I am not sure what this issue is about any more; possibly since superseded.

            Show
            jglick Jesse Glick added a comment - Jan Seidel your issue sounds like JENKINS-23447 . I am not sure what this issue is about any more; possibly since superseded.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-23447 [ JENKINS-23447 ]
            Hide
            danielbeck Daniel Beck added a comment -

            This issue is about the MavenProbeAction in Maven Project Plugin, so assigning that as component.

            Show
            danielbeck Daniel Beck added a comment - This issue is about the MavenProbeAction in Maven Project Plugin, so assigning that as component.
            danielbeck Daniel Beck made changes -
            Component/s maven [ 16033 ]
            Component/s security [ 15508 ]
            Component/s core [ 15593 ]
            Component/s mask-passwords [ 15761 ]
            jglick Jesse Glick made changes -
            Summary Security leak - password parameters are visible MavenProbeAction exposes password parameters
            jglick Jesse Glick made changes -
            Labels security
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-4964 [ JENKINS-4964 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-5085 [ JENKINS-5085 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-5757 [ JENKINS-5757 ]
            Hide
            jglick Jesse Glick added a comment -

            Deleted a bunch of apparently unrelated “duplicates”.

            Show
            jglick Jesse Glick added a comment - Deleted a bunch of apparently unrelated “duplicates”.
            Hide
            ahammar Anders Hammar added a comment -

            Until this is fixed, would it be possible to add a config option to turn this monitor feature off?

            Show
            ahammar Anders Hammar added a comment - Until this is fixed, would it be possible to add a config option to turn this monitor feature off?
            Hide
            ahammar Anders Hammar added a comment -

            I've looked into this and have a PoC fix for masking sensitive env vars:
            https://github.com/andham/maven-plugin/tree/poc-JENKINS-4428

            I'd appreciate a second set of eyes on this and some input before starting a PR.
            I'm having issues executing the project's tests, so haven't looked into that just yet.

            Please note that this only masked the env vars, not anything in the system properties page. Maybe the same masking should be applied there?

            Show
            ahammar Anders Hammar added a comment - I've looked into this and have a PoC fix for masking sensitive env vars: https://github.com/andham/maven-plugin/tree/poc-JENKINS-4428 I'd appreciate a second set of eyes on this and some input before starting a PR. I'm having issues executing the project's tests, so haven't looked into that just yet. Please note that this only masked the env vars, not anything in the system properties page. Maybe the same masking should be applied there?
            ahammar Anders Hammar made changes -
            Assignee Anders Hammar [ ahammar ]
            ahammar Anders Hammar made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            ahammar Anders Hammar added a comment -

            https://github.com/jenkinsci/maven-plugin/pull/50

            I don't know how to create an IT for this though. Somehow I need to trigger an action during the Maven build and not verify the outcome of a build.

            Show
            ahammar Anders Hammar added a comment - https://github.com/jenkinsci/maven-plugin/pull/50 I don't know how to create an IT for this though. Somehow I need to trigger an action during the Maven build and not verify the outcome of a build.
            Hide
            ahammar Anders Hammar added a comment -

            Ping. Could someone review and merge please?

            Show
            ahammar Anders Hammar added a comment - Ping. Could someone review and merge please?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Anders Hammar
            Path:
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            src/main/java/hudson/maven/MavenProbeAction.java
            http://jenkins-ci.org/commit/maven-plugin/3e970728b46198aa898e507963cc6da27d5ce8cf
            Log:
            [FIXED JENKINS-4428] MavenProbeAction exposes password parameters

            Signed-off-by: Anders Hammar <anders@hammar.net>

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Anders Hammar Path: src/main/java/hudson/maven/MavenModuleSetBuild.java src/main/java/hudson/maven/MavenProbeAction.java http://jenkins-ci.org/commit/maven-plugin/3e970728b46198aa898e507963cc6da27d5ce8cf Log: [FIXED JENKINS-4428] MavenProbeAction exposes password parameters Signed-off-by: Anders Hammar <anders@hammar.net>
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Olivier Lamy
            Path:
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            src/main/java/hudson/maven/MavenProbeAction.java
            http://jenkins-ci.org/commit/maven-plugin/9c5eb51dda735450a6cc7a59201efe2cd795625a
            Log:
            Merge pull request #50 from andham/JENKINS-4428

            [FIXED JENKINS-4428] MavenProbeAction exposes password parameters

            Compare: https://github.com/jenkinsci/maven-plugin/compare/cc6027c7f38c...9c5eb51dda73

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Olivier Lamy Path: src/main/java/hudson/maven/MavenModuleSetBuild.java src/main/java/hudson/maven/MavenProbeAction.java http://jenkins-ci.org/commit/maven-plugin/9c5eb51dda735450a6cc7a59201efe2cd795625a Log: Merge pull request #50 from andham/ JENKINS-4428 [FIXED JENKINS-4428] MavenProbeAction exposes password parameters Compare: https://github.com/jenkinsci/maven-plugin/compare/cc6027c7f38c...9c5eb51dda73
            Hide
            aheritier Arnaud Héritier added a comment -

            Fixed in 2.13

            Show
            aheritier Arnaud Héritier added a comment - Fixed in 2.13
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 134501 ] JNJira + In-Review [ 186819 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-645 (Web Link)" [ 18849 ]

              People

              • Assignee:
                ahammar Anders Hammar
                Reporter:
                rtlusty rtlusty
              • Votes:
                9 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: