Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53649

Strings from the "echo" step are suppressed in BlueOcean UI if they contain values found in an environment variable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate
    • Component/s: workflow-cps-plugin
    • Labels:
    • Environment:
      Jenkins: 2.138.1
      BlueOcean plugin: 1.8.2
      A clean install on Windows 7 with just a standard set of plugins
      Reproed with Chrome on Windows and Firefox on a Linux desktop
    • Similar Issues:

      Description

      When a string is displayed in the BlueOcean UI from an "echo" step, the string "Print Message" is displayed IF the string being echoed contains a substring that matches the contents of any environment variable. 

      Repro steps:

      Create a pipeline with this code:

      pipeline {
          agent any
          stages {
              stage('test') {
                  environment {
                      THING = 'foobarbuzz'
                  }
                  steps {
                      echo "blah"
                      echo "foobarbuzz"
                      echo "foobarZZZbuzz"
                      echo "This is a $THING here"
                  }
              }
          }
      }

      Run the pipeline via Blue Ocean

      Observe that there are four step labels displayed in the Blue Ocean UI. (see attached screenshot)  The first and third steps display the strings from "echo" as expected.  But, the second and fourth steps display only "Print Message" and don't show the expected string.  The user needs to click the step to expand it to see the string.  I would expect that all strings from all echo statements should show up in the main Blue Ocean UI and would not require some to be manually expended.

       

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            JENKINS-47101 seems to be the conflicting requirement

            Yes, as I said the symptoms are different. The underlying problem is the lack of an API to determine whether environment variables are sensitive, something like AbstractBuild.getSensitiveBuildVariables but suited to Pipeline’s needs; in lieu of that, workflow-cps assumes most variables are sensitive, but makes exemptions for a fixed list of common system variables. And yes EnvironmentExpander is the likely locus of such a new API, such as Set<String> getSensitiveVariables().

            Show
            jglick Jesse Glick added a comment - JENKINS-47101 seems to be the conflicting requirement Yes, as I said the symptoms are different. The underlying problem is the lack of an API to determine whether environment variables are sensitive, something like AbstractBuild.getSensitiveBuildVariables but suited to Pipeline’s needs; in lieu of that, workflow-cps assumes most variables are sensitive, but makes exemptions for a fixed list of common system variables. And yes EnvironmentExpander is the likely locus of such a new API, such as Set<String> getSensitiveVariables() .
            Hide
            harryw Harry Weppner added a comment -

            Jesse Glick JENKINS-47101 seems to be the conflicting requirement to suppress credentials in a step, which is different from this issue where non-credentials are suppressed.

            Where are these discussions taking place? Would be happy to help!

            What if `EnvironmentExpander` had a method to yield only env vars that represent a `Secret`. With that the env vars passed into the sanitization could only retain those and argument masking should work as intended!?

            Show
            harryw Harry Weppner added a comment - Jesse Glick JENKINS-47101 seems to be the conflicting requirement to suppress credentials in a step, which is different from this issue where non-credentials are suppressed. Where are these discussions taking place? Would be happy to help! What if `EnvironmentExpander` had a method to yield only env vars that represent a `Secret`. With that the env vars passed into the sanitization could only retain those and argument masking should work as intended!?
            Hide
            jglick Jesse Glick added a comment -

            Well known limitation of the current design. Essentially the same problem as what is described in JENKINS-47101, though with different symptoms. APIs to solve this have been discussed recently, but no promises.

            Show
            jglick Jesse Glick added a comment - Well known limitation of the current design. Essentially the same problem as what is described in JENKINS-47101 , though with different symptoms. APIs to solve this have been discussed recently, but no promises.
            Hide
            harryw Harry Weppner added a comment -

            Been affected by this issue as well and debugged further. Based on my findings the "flaw" is in the attempt of locating environment variables that might be credentials bindings.

             https://github.com/jenkinsci/workflow-cps-plugin/blame/master/src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java#L240

            My "slightly more than minimal failing" example after configuring a secret text with the id hello is:

            withEnv(['FOO=bar']) {
                echo "Testing bar world"
                withCredentials([string(credentialsId: 'hello', variable: 'MY_SECRET')]) {
                    echo "Testing bar world"
                    withEnv(['BAR=baz']) {
                        echo "Testing bar world"
                        withCredentials([string(credentialsId: 'hello', variable: 'MY_OTHER_SECRET')]) {
                            echo "Testing bar world"
                        }
                    }
                }
            }

            The issue is that we can currently not cleanly separate credentials from other env variables. As a result, all env vars are effectively treated as credentials and their output is masked. That's also why I don't think this is an issue with Blue Ocean.

            I think the system would function as intended if only env vars used as credentials were passed in as constructors to ArgumentsActionImpl at https://github.com/jenkinsci/workflow-cps-plugin/blame/master/src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java#L246.

            Jesse Glick what would be a clean way to only determine env vars that were added as credentials?

             

            Show
            harryw Harry Weppner added a comment - Been affected by this issue as well and debugged further. Based on my findings the "flaw" is in the attempt of locating environment variables that might  be credentials bindings.   https://github.com/jenkinsci/workflow-cps-plugin/blame/master/src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java#L240 My "slightly more than minimal failing" example after configuring a secret text with the id hello is: withEnv([ 'FOO=bar' ]) { echo "Testing bar world" withCredentials([string(credentialsId: 'hello' , variable: 'MY_SECRET' )]) { echo "Testing bar world" withEnv([ 'BAR=baz' ]) { echo "Testing bar world" withCredentials([string(credentialsId: 'hello' , variable: 'MY_OTHER_SECRET' )]) { echo "Testing bar world" } } } } The issue is that we can currently not cleanly separate credentials from other env variables. As a result, all env vars are effectively treated as credentials and their output is masked. That's also why I don't think this is an issue with Blue Ocean. I think the system would function as intended if only  env vars used as credentials were passed in as constructors to ArgumentsActionImpl at  https://github.com/jenkinsci/workflow-cps-plugin/blame/master/src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java#L246. Jesse Glick what would be a clean way to only determine env vars that were added as credentials?  
            Hide
            kellcomnet CHRISTOPHER KELLY added a comment - - edited

            In the same vein as Andreas Meyer I created a groovy library to wrap his method for easy use in my pipelines.

             

            I call the file unsafeEcho.groovy and call it via 

            unsafeEcho "SHORT_BUILD_VERSION: $SHORT_BUILD_VERSION"
            
            #!/usr/bin/env groovy
            
            // Workaround for "Print message" that is displayed by original echo step if the message
            // contains a value of an environment variable or a pipeline parameter.
            //
            // WARNING: This disables masking of secrets in the output, so don't call it 
            
            void call( String msg ) { 
                withContext( new unsafeEchoClearer() ) { 
                    echo msg 
                } 
            }
            
            
            // Clears all environment variables, to be used from withContext{}.
            class unsafeEchoClearer extends org.jenkinsci.plugins.workflow.steps.EnvironmentExpander {
                @NonCPS
                void expand( hudson.EnvVars env ) throws IOException, InterruptedException {
                    env.clear()    
                }    
            }
            

             

            Show
            kellcomnet CHRISTOPHER KELLY added a comment - - edited In the same vein as Andreas Meyer I created a groovy library to wrap his method for easy use in my pipelines.   I call the file unsafeEcho.groovy and call it via  unsafeEcho "SHORT_BUILD_VERSION: $SHORT_BUILD_VERSION" #!/usr/bin/env groovy // Workaround for "Print message" that is displayed by original echo step if the message // contains a value of an environment variable or a pipeline parameter. // // WARNING: This disables masking of secrets in the output, so don't call it void call( String msg ) { withContext( new unsafeEchoClearer() ) { echo msg } } // Clears all environment variables, to be used from withContext{}. class unsafeEchoClearer extends org.jenkinsci.plugins.workflow.steps.EnvironmentExpander { @NonCPS void expand( hudson.EnvVars env ) throws IOException, InterruptedException { env.clear() } }  

              People

              • Assignee:
                Unassigned
                Reporter:
                sirgnip S Nelson
              • Votes:
                25 Vote for this issue
                Watchers:
                29 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: