Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56731

Credentials password details can show in output with creds and mask plugins

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Using the latest released components user can show password details in output using dsl pipeline job. Fragments can be used to construct password from output using unorthodox job method below.

       

      How to reproduce

      1. Create credential username pass with id cred_user_id
      e.g.
      store (Jenkins) --> Domain (DevOps) --> Id cred_user_id
      Username: cred_user
      Password: userxPass~3&XX?yy%9

      2. Create DSL pipeline job per below

      Pipeline Code
      ======================

      pipeline

      { agent \{ label 'master' }

      environment

      { MY_CREDENTIAL = credentials('cred_user_id') }

      stages
      {
      stage('Do: Something')
      {
      steps
      {
      sh "echo ${MY_CREDENTIAL}"
      sh "echo ${MY_CREDENTIAL_USR}:${MY_CREDENTIAL_PSW}"
      }
      }
      }
      }

      3. Run, output (below) has masked username and unmasked password details showing

      [Pipeline] sh
      + 'XX?yy%9'
      + echo ****:userxPass~3
      ****:userxPass~3
      /var/lib/jenkins/jobs/NRP/jobs/9-DevOps-Support/jobs/jenkins_bug/workspace@tmp/durable-865f9359/script.sh: line 1: XX?yy%9: command not found

      Log Output
      ===========================================
      Started by user Jim Zarakis
      Running in Durability level: MAX_SURVIVABILITY
      [Pipeline] Start of Pipeline

      [Pipeline] node
      Running on Jenkins in /var/lib/jenkins/jobs/NRP/jobs/9-DevOps-Support/jobs/jenkins_bug/workspace
      [Pipeline] {
      [Pipeline] withCredentials
      Masking only exact matches of $MY_CREDENTIAL or $MY_CREDENTIAL_USR or $MY_CREDENTIAL_PSW
      [Pipeline] {
      [Pipeline] stage
      [Pipeline]

      { (Do: Something) [Pipeline] sh + 'XX?yy%9' + echo ****:userxPass~3 ****:userxPass~3 /var/lib/jenkins/jobs/NRP/jobs/9-DevOps-Support/jobs/jenkins_bug/workspace@tmp/durable-865f9359/script.sh: line 1: XX?yy%9: command not found [Pipeline] }

      [Pipeline] // stage
      [Pipeline] }
      [Pipeline] // withCredentials
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      ERROR: script returned exit code 127
      Finished: FAILURE

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Masking attempts to prevent accidental disclosure of credentials. It's trivial to bypass and always will be, necessarily. See https://jenkins.io/blog/2019/02/21/credentials-masking/

          This case however is simply a lack of proper escaping of user input in a Groovy string that gets interpreted as a shell script. The ampersand character is a shell metacharacter and gets interpreted as such. Use single quotes, see the Pipeline docs.

          Show
          danielbeck Daniel Beck added a comment - Masking attempts to prevent accidental disclosure of credentials. It's trivial to bypass and always will be, necessarily. See https://jenkins.io/blog/2019/02/21/credentials-masking/ This case however is simply a lack of proper escaping of user input in a Groovy string that gets interpreted as a shell script. The ampersand character is a shell metacharacter and gets interpreted as such. Use single quotes, see the Pipeline docs.

            People

            • Assignee:
              Unassigned
              Reporter:
              jim_zarakis Jim Zarakis
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: