Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47514

Special characters in password are not escaped properly

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: git-client-plugin
    • Labels:
      None
    • Environment:
      Jenkins: 2.46.3
      git-client-plugin: 2.4.6
    • Similar Issues:

      Description

      When using a username/password credential with the git plugin on an agent where /bin/sh is dash, and either the username or the password contains echo special characters sequences (see below), those character sequences are interpreted by the echo command used to pass the credentials to git. For example, given a password of anExampleWithA\newline the password output will actually be:

      anExampleWithA
      ewline

      The character sequences that need to be escaped are:

      \b A backspace character is output.
      \c Subsequent output is suppressed. This is normally used at the end of the last argument to suppress the trailing newline that echo would otherwise output.
      \f Output a form feed.
      \n Output a newline character.
      \r Output a carriage return.
      \t Output a (horizontal) tab character.
      \v Output a vertical tab.
      \0digits
      Output the character whose value is given by zero to three octal digits. If there are zero digits, a nul character is output.
      \\ Output a backslash.

      The issue can be worked around by changing /bin/sh on the executing agents to a shell that does not do character sequence interpretation by default (e.g. bash).

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          I have a branch of the git client plugin which replaces "echo" with "cat" on Unix, and replaces "echo" with "type" on Windows so that no shell interpretation is applied to the user provided username or password.

          The current location is PR207-retry-1. It is a large enough change that it will need extensive testing before I merge it into the main development line. It currently passes automated tests but has not been through more thorough interactive testing.

          Show
          markewaite Mark Waite added a comment - I have a branch of the git client plugin which replaces "echo" with "cat" on Unix, and replaces "echo" with "type" on Windows so that no shell interpretation is applied to the user provided username or password. The current location is PR207-retry-1 . It is a large enough change that it will need extensive testing before I merge it into the main development line. It currently passes automated tests but has not been through more thorough interactive testing.
          Hide
          morficus Maurice W. added a comment -

          There are additional characters that need to be escaped as well:

          • : (colon)
          • " (double quote)
          • ' (single quote)
          • @ (at symbol) 

           

          I recently faced an issue where a git-password had some combination of the above characters... and I kept getting errors when trying to use it in my Pipeline file (both via the special helper method `credentials()` to set it as an environment variable or the credentials binding plugin).

          To work around my issue... I ended up reseting the password to something with no special characters.

           

          Show
          morficus Maurice W. added a comment - There are additional characters that need to be escaped as well: : (colon) " (double quote) ' (single quote) @ (at symbol)    I recently faced an issue where a git-password had some combination of the above characters... and I kept getting errors when trying to use it in my Pipeline file (both via the special helper method `credentials()` to set it as an environment variable or the credentials binding plugin). To work around my issue... I ended up reseting the password to something with no special characters.  
          Hide
          raffinyc Raffi B added a comment -

          ..escape dollar sign char too,  --> \$  

          Show
          raffinyc Raffi B added a comment - ..escape dollar sign char too,   $  -->  \$   
          Hide
          markewaite Mark Waite added a comment -

          Fixed in git client plugin 3.0.0

          Show
          markewaite Mark Waite added a comment - Fixed in git client plugin 3.0.0
          Show
          kshcherban Konstantin Shcherban added a comment - Will just leave it here https://gist.github.com/Faheetah/e11bd0315c34ed32e681616e41279ef4
          Hide
          markewaite Mark Waite added a comment -

          Released with git client plugin 3.0.0 on Nov 2, 2019.

          Show
          markewaite Mark Waite added a comment - Released with git client plugin 3.0.0 on Nov 2, 2019.

            People

            • Assignee:
              Unassigned
              Reporter:
              greg_symons Gregory Symons
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: