Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56674

In case of execute withDockerContainer inside withDockerCotainer env variables is not masked

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      docker-workflow 1.18

      Description

      Since it's related to security leaks of credentials up this ticket to Major priority. 

      Such scenario is needed to be able to reproduce the issue:

      node {
        withDockerContainer(image: 'docker', args: '-v /var/run/docker.sock:/var/run/docker.sock') {
          env.TEST_PWD = 'pwd12345'
          withDockerContainer(image: 'docker', args: '-v /var/run/docker.sock:/var/run/docker.sock') {
      	sh('echo test')
          }
        }
      }
      

       will pass but all env variables will not be masked in case of run the second (internal) withDockerContainer

       

      6.514 [prj #1] [Pipeline] node
         6.617 [prj #1] Running on master in /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj
         6.617 [prj #1] [Pipeline] {
         7.814 [prj #1] [Pipeline] withDockerContainer
         7.814 [prj #1] Jenkins does not seem to be running inside a container
         7.815 [prj #1] $ docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat
         7.815 [prj #1] $ docker top c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 -eo pid,comm
         7.815 [prj #1] [Pipeline] {
        10.504 [prj #1] [Pipeline] withDockerContainer
        10.504 [prj #1] ERROR: Failed to parse docker version. Please note there is a minimum docker version requirement of v1.7.
        10.505 [prj #1] Jenkins does not seem to be running inside a container
        10.505 [prj #1] $ docker exec --env BUILD_DISPLAY_NAME=#1 --env BUILD_ID=1 --env BUILD_NUMBER=1 --env BUILD_TAG=jenkins-prj-1 --env BUILD_URL=http://localhost:56168/jenkins/job/prj/1/ --env CLASSPATH= --env EXECUTOR_NUMBER=1 --env HUDSON_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env HUDSON_SERVER_COOKIE=586ce441e4ad2814 --env HUDSON_URL=http://localhost:56168/jenkins/ --env JENKINS_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env JENKINS_SERVER_COOKIE=586ce441e4ad2814 --env JENKINS_URL=http://localhost:56168/jenkins/ --env JOB_BASE_NAME=prj --env JOB_NAME=prj --env JOB_URL=http://localhost:56168/jenkins/job/prj/ --env NODE_LABELS=master --env NODE_NAME=master --env TEST_PWD=pwd12345 --env workspace=/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat

       As you can see such string appeared in the output of the job 

      docker exec --env BUILD_DISPLAY_NAME=#1 --env BUILD_ID=1 --env BUILD_NUMBER=1 ...

        Attachments

          Issue Links

            Activity

            Hide
            vkravets Vladimir Kravets added a comment - - edited
            Show
            vkravets Vladimir Kravets added a comment - - edited Possible fix can be found here  https://github.com/jenkinsci/docker-workflow-plugin/pull/166
            Hide
            jglick Jesse Glick added a comment -

            Vladimir Kravets please follow responsible disclosure procedures if you even have reason to suspect a security vulnerability anywhere in Jenkins.

            In this case I am not convinced there is a legitimate vulnerability anyway. Running a nested copy of withDockerContainer has no plausible meaning and can be disregarded. Some other (non-sh) steps may run Launcher in non-quiet mode, in which case the Decorator could be printing environment variables in plaintext. Generally speaking that is not considered a risk, since anything which binds genuine secrets to the environment (like withCredentials) should also be masking them against accidental disclosure, though we still prefer to use ArgumentListBuilder.addMasked just in case, as DockerClient.run does in this example.

            Show
            jglick Jesse Glick added a comment - Vladimir Kravets please follow responsible disclosure procedures if you even have reason to suspect a security vulnerability anywhere in Jenkins. In this case I am not convinced there is a legitimate vulnerability anyway. Running a nested copy of withDockerContainer has no plausible meaning and can be disregarded. Some other (non- sh ) steps may run Launcher in non- quiet mode, in which case the Decorator could be printing environment variables in plaintext. Generally speaking that is not considered a risk, since anything which binds genuine secrets to the environment (like withCredentials ) should also be masking them against accidental disclosure, though we still prefer to use ArgumentListBuilder.addMasked just in case, as DockerClient.run does in this example.
            Hide
            dnusbaum Devin Nusbaum added a comment -

            A fix for this issue was release in version 1.18 of the Docker Pipeline plugin. See the release notes on the plugin's wiki page for details.

            Show
            dnusbaum Devin Nusbaum added a comment - A fix for this issue was release in version 1.18 of the Docker Pipeline plugin. See the release notes on the plugin's wiki page for details.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                vkravets Vladimir Kravets
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: