Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-4428

MavenProbeAction exposes password parameters

    Details

    • Similar Issues:

      Description

      Password parameters of Hudson jobs are visible in plain form when the job is
      running. Look to "Monitor Maven Process/Environment Variables" view.

        Attachments

          Issue Links

            Activity

            Hide
            rtlusty rtlusty added a comment -

            switched to "parameters" subcomponent (may be it fits better)

            Show
            rtlusty rtlusty added a comment - switched to "parameters" subcomponent (may be it fits better)
            Hide
            mambu Marco Ambu added a comment -

            The password parameter is visible also when the build is waiting in the queue
            and you pass the mouse over the job.

            Show
            mambu Marco Ambu added a comment - The password parameter is visible also when the build is waiting in the queue and you pass the mouse over the job.
            Hide
            daiglebagel Logan Daigle added a comment -

            This issue is still occurring. I am running version 1.471 of the Jenkins service. I have installed the password masking plugin. This effectively removes the passwords from any log files, but if a job that takes a password as a parameter is waiting in the queue and you hover over the hyperlink, the password is shown. This is NOT good. The shows my active directory password to anyone else that hovers over this link and may give someone access to a network resource that they would not otherwise have access to. PLEASE FIX!

            Show
            daiglebagel Logan Daigle added a comment - This issue is still occurring. I am running version 1.471 of the Jenkins service. I have installed the password masking plugin. This effectively removes the passwords from any log files, but if a job that takes a password as a parameter is waiting in the queue and you hover over the hyperlink, the password is shown. This is NOT good. The shows my active directory password to anyone else that hovers over this link and may give someone access to a network resource that they would not otherwise have access to. PLEASE FIX!
            Hide
            kopfwunde Jan Seidel added a comment -

            In fact the unencrypted credentials are also seen in "Some job# in the build history" -> "Environment variables".
            THIS is very in convenient. We are trying to lock down our build system to prevent unauthorized access to our infrastructure.
            But anybody with legit access to Jenkins can get the information there :/

            Show
            kopfwunde Jan Seidel added a comment - In fact the unencrypted credentials are also seen in "Some job# in the build history" -> "Environment variables". THIS is very in convenient. We are trying to lock down our build system to prevent unauthorized access to our infrastructure. But anybody with legit access to Jenkins can get the information there :/
            Hide
            jglick Jesse Glick added a comment -

            Jan Seidel your issue sounds like JENKINS-23447.

            I am not sure what this issue is about any more; possibly since superseded.

            Show
            jglick Jesse Glick added a comment - Jan Seidel your issue sounds like JENKINS-23447 . I am not sure what this issue is about any more; possibly since superseded.
            Hide
            danielbeck Daniel Beck added a comment -

            This issue is about the MavenProbeAction in Maven Project Plugin, so assigning that as component.

            Show
            danielbeck Daniel Beck added a comment - This issue is about the MavenProbeAction in Maven Project Plugin, so assigning that as component.
            Hide
            jglick Jesse Glick added a comment -

            Deleted a bunch of apparently unrelated “duplicates”.

            Show
            jglick Jesse Glick added a comment - Deleted a bunch of apparently unrelated “duplicates”.
            Hide
            ahammar Anders Hammar added a comment -

            Until this is fixed, would it be possible to add a config option to turn this monitor feature off?

            Show
            ahammar Anders Hammar added a comment - Until this is fixed, would it be possible to add a config option to turn this monitor feature off?
            Hide
            ahammar Anders Hammar added a comment -

            I've looked into this and have a PoC fix for masking sensitive env vars:
            https://github.com/andham/maven-plugin/tree/poc-JENKINS-4428

            I'd appreciate a second set of eyes on this and some input before starting a PR.
            I'm having issues executing the project's tests, so haven't looked into that just yet.

            Please note that this only masked the env vars, not anything in the system properties page. Maybe the same masking should be applied there?

            Show
            ahammar Anders Hammar added a comment - I've looked into this and have a PoC fix for masking sensitive env vars: https://github.com/andham/maven-plugin/tree/poc-JENKINS-4428 I'd appreciate a second set of eyes on this and some input before starting a PR. I'm having issues executing the project's tests, so haven't looked into that just yet. Please note that this only masked the env vars, not anything in the system properties page. Maybe the same masking should be applied there?
            Hide
            ahammar Anders Hammar added a comment -

            https://github.com/jenkinsci/maven-plugin/pull/50

            I don't know how to create an IT for this though. Somehow I need to trigger an action during the Maven build and not verify the outcome of a build.

            Show
            ahammar Anders Hammar added a comment - https://github.com/jenkinsci/maven-plugin/pull/50 I don't know how to create an IT for this though. Somehow I need to trigger an action during the Maven build and not verify the outcome of a build.
            Hide
            ahammar Anders Hammar added a comment -

            Ping. Could someone review and merge please?

            Show
            ahammar Anders Hammar added a comment - Ping. Could someone review and merge please?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Anders Hammar
            Path:
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            src/main/java/hudson/maven/MavenProbeAction.java
            http://jenkins-ci.org/commit/maven-plugin/3e970728b46198aa898e507963cc6da27d5ce8cf
            Log:
            [FIXED JENKINS-4428] MavenProbeAction exposes password parameters

            Signed-off-by: Anders Hammar <anders@hammar.net>

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Anders Hammar Path: src/main/java/hudson/maven/MavenModuleSetBuild.java src/main/java/hudson/maven/MavenProbeAction.java http://jenkins-ci.org/commit/maven-plugin/3e970728b46198aa898e507963cc6da27d5ce8cf Log: [FIXED JENKINS-4428] MavenProbeAction exposes password parameters Signed-off-by: Anders Hammar <anders@hammar.net>
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Olivier Lamy
            Path:
            src/main/java/hudson/maven/MavenModuleSetBuild.java
            src/main/java/hudson/maven/MavenProbeAction.java
            http://jenkins-ci.org/commit/maven-plugin/9c5eb51dda735450a6cc7a59201efe2cd795625a
            Log:
            Merge pull request #50 from andham/JENKINS-4428

            [FIXED JENKINS-4428] MavenProbeAction exposes password parameters

            Compare: https://github.com/jenkinsci/maven-plugin/compare/cc6027c7f38c...9c5eb51dda73

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Olivier Lamy Path: src/main/java/hudson/maven/MavenModuleSetBuild.java src/main/java/hudson/maven/MavenProbeAction.java http://jenkins-ci.org/commit/maven-plugin/9c5eb51dda735450a6cc7a59201efe2cd795625a Log: Merge pull request #50 from andham/ JENKINS-4428 [FIXED JENKINS-4428] MavenProbeAction exposes password parameters Compare: https://github.com/jenkinsci/maven-plugin/compare/cc6027c7f38c...9c5eb51dda73
            Hide
            aheritier Arnaud Héritier added a comment -

            Fixed in 2.13

            Show
            aheritier Arnaud Héritier added a comment - Fixed in 2.13

              People

              • Assignee:
                ahammar Anders Hammar
                Reporter:
                rtlusty rtlusty
              • Votes:
                9 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: