-
Bug
-
Resolution: Fixed
-
Major
-
None
-
envinject 1.9
mask-passwords 2.7.2
Jenkins ver. 1.424.1
Windows
Perforce plugin 1.3.7
If I use the mask-passwords plugin to create a masked password, and also use the envinject plugin to setup an environment, the masked password is visible from the "Injected Environment Variables" link for each build.
- is related to
-
-
- Closed
-
-
-
- Resolved
-
[JENKINS-12423] Password masked by Mask Passwords are visible when using envinject plugin
Code changed in jenkins
User: Florence.Chabanois
Path:
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
http://jenkins-ci.org/commit/envinject-plugin/a33b4167582f6b244d45ad5ea57da77f5e2cbc12
Log:
Fix JENKINS-12423
Code changed in jenkins
User: Florence.Chabanois
Path:
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
http://jenkins-ci.org/commit/envinject-plugin/72951ad6bd722fe908ba58c0f05e64ae70fa22d2
Log:
Fix JENKINS-12423
Mike Winters
added a comment - With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 2.7.2, the Perforce passwords are being displayed in plain text on the "Injected Environment Variables" page. I have tried setting the passwords to be masked in the global Jenkins config as well as in the individual jobs, but nothing I have tried is masking the passwords.
Mike Winters
added a comment - With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 2.7.2, the Perforce passwords are being displayed in plain text on the "Injected Environment Variables" page. I have tried setting the passwords to be masked in the global Jenkins config as well as in the individual jobs, but nothing I have tried is masking the passwords. Mike Winters
added a comment - Re-opening due to non-masking of Perforce passwords. 
Gregory Boissinot
added a comment - I tested and I have reproduced the problem with the EnvInject and the mask-passwords plugins.
Native password parameters (provided by Jenkins core) are masked.
However, passwords provided by the mask-passwords plugin are visible.
The problem is due to the mask-passwords plugin uses custom password parameters (labeled Non stored password) and the envinject is not aware of the this specific new type.
Technically, mask-passwords plugin use the class 'com.michelin.cio.hudson.plugins.passwordparam.PasswordParameterValue' and the envinject plugin is not aware of this class.
We know if it is a password parameter only by the class itself and not by an inherited property set to a specific value (such as boolean).
Gregory Boissinot
added a comment - I tested and I have reproduced the problem with the EnvInject and the mask-passwords plugins.
Native password parameters (provided by Jenkins core) are masked.
However, passwords provided by the mask-passwords plugin are visible.
The problem is due to the mask-passwords plugin uses custom password parameters (labeled Non stored password) and the envinject is not aware of the this specific new type.
Technically, mask-passwords plugin use the class 'com.michelin.cio.hudson.plugins.passwordparam.PasswordParameterValue' and the envinject plugin is not aware of this class.
We know if it is a password parameter only by the class itself and not by an inherited property set to a specific value (such as boolean). Mike Winters
added a comment - In the case of the Perforce passwords, the issue was happening before I installed the Mask Passwords plugin (I only installed that in an attempt to hide the passwords). It seems that perhaps the Perforce plugin (and plugins for other source control systems?) are exposing the passwords in a way that the EnvInject plugin doesn't know to look for. I'm not sure where the best place to fix this is, or what the optimal fix should be, as I am not familiar with the Jenkins codebase or the code for any of the relevant plugins. However, the quicker a solution can be implemented, the happier I will be 
. Thanks!
Mike Winters
added a comment - In the case of the Perforce passwords, the issue was happening before I installed the Mask Passwords plugin (I only installed that in an attempt to hide the passwords). It seems that perhaps the Perforce plugin (and plugins for other source control systems?) are exposing the passwords in a way that the EnvInject plugin doesn't know to look for. I'm not sure where the best place to fix this is, or what the optimal fix should be, as I am not familiar with the Jenkins codebase or the code for any of the relevant plugins. However, the quicker a solution can be implemented, the happier I will be . Thanks! Code changed in jenkins
User: Gregory Boissinot
Path:
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
http://jenkins-ci.org/commit/envinject-plugin/a7a11d9ca6ad9ca109b0a601aae7b3b5e2309d56
Log:
Fix JENKINS-12423
I provided a hack on my envinject plugin to fix this issue.
This tip should work in most cases.
I tested with mask-passwords plugin combined with the envinject plugin, it seems to be OK.
Regarding the perforce plugin, I don't know and I don't have this tool. And due to the complexity of its installation, I don't have
tested with the perforce plugin.
If the issue persists with only the perforce plugin (it's ok with the envinject and the mask-passwords plugin), reopened it with only the perforce component).
Gregory Boissinot
added a comment - - edited I provided a hack on my envinject plugin to fix this issue.
This tip should work in most cases.
I tested with mask-passwords plugin combined with the envinject plugin, it seems to be OK.
Regarding the perforce plugin, I don't know and I don't have this tool. And due to the complexity of its installation, I don't have
tested with the perforce plugin.
If the issue persists with only the perforce plugin (it's ok with the envinject and the mask-passwords plugin), reopened it with only the perforce component). Mike Winters
added a comment - From JENKINS-12747:
On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those.
Mike Winters
added a comment - From JENKINS-12747 :
On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those. Gregory Boissinot
added a comment - You're right.
I forgot to test global passwords with the mask-passords plugin.
However job password parameters (in the core and in the core passwords plugin) works as expected in the envinject plugin.
I looked at the code. It's a big issue.
Does it suit you if you manage global passwords by the EnvInject plugin. In my opinion, managing passwords directly in the envinject plugin is the best way to deal with this issue.
Gregory Boissinot
added a comment - You're right.
I forgot to test global passwords with the mask-passords plugin.
However job password parameters (in the core and in the core passwords plugin) works as expected in the envinject plugin.
I looked at the code. It's a big issue.
Does it suit you if you manage global passwords by the EnvInject plugin. In my opinion, managing passwords directly in the envinject plugin is the best way to deal with this issue.
Code changed in jenkins
User: Gregory Boissinot
Path:
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordEntry.java
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectGlobalPasswordWrapper.java
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectListener.java
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty.java
src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectGlobalPasswordRetriever.java
src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/global.jelly
src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-name.html
src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectNodeProperty/help-password.html
src/main/resources/org/jenkinsci/plugins/envinject/Messages.properties
src/main/webapp/help-buildWrapperGlobalPasswords.html
http://jenkins-ci.org/commit/envinject-plugin/9bbe67a0f9cb48c511d679724fb857e6e6e8cd53
Log:
Add the ability to inject global passwords in the EnvInject plugin
Fix JENKINS-12423
Compare: https://github.com/jenkinsci/envinject-plugin/compare/842c9d5...9bbe67a
Gregory Boissinot
added a comment - Use passwords by the envinject plugin should fix the issue 
Walter Kacynski
added a comment - I'm trying to work thru this issue as well but I can't seem to find the necessary options to hide this information from the Injected Environment Variables screen. I also found JENKINS-12161 and linked that in, but it doesn't seem to make a difference.
Walter Kacynski
added a comment - I'm trying to work thru this issue as well but I can't seem to find the necessary options to hide this information from the Injected Environment Variables screen. I also found JENKINS-12161 and linked that in, but it doesn't seem to make a difference. Gregory Boissinot
added a comment - In >Manage Jenkins> Configure System
Add global password
Then, in the job configuration page
in the Build environment section, check 'Inject global passwords as environment variables'
Gregory Boissinot
added a comment - In >Manage Jenkins> Configure System
Add global password
Then, in the job configuration page
in the Build environment section, check 'Inject global passwords as environment variables' 
Natalia Naumova
added a comment - jenkins 1.463
Envinject 1.50
mask-password 2.7.2
still reproducible
Natalia Naumova
added a comment - jenkins 1.463
Envinject 1.50
mask-password 2.7.2
still reproducible Gregory Boissinot
added a comment - There is an incompatibility between the maskpassword plugin and the envinject jenkins plugin. Both can't interact. MaskPasswork provides its own class and EnvInject can't retreive them dynamically.
With the fix, EnvInject plugin incorporates all features of the Mask password plugin.
You no longer need of the maskpasswords plugin. For now, you inject passwords variables (global passwords - aka for all jobs, and job password) with only the EnvInject plugin.
Process in your job configuration,
> Build Environment > Inject passwords to the build as environment variables
Gregory Boissinot
added a comment - There is an incompatibility between the maskpassword plugin and the envinject jenkins plugin. Both can't interact. MaskPasswork provides its own class and EnvInject can't retreive them dynamically.
With the fix, EnvInject plugin incorporates all features of the Mask password plugin.
You no longer need of the maskpasswords plugin. For now, you inject passwords variables (global passwords - aka for all jobs, and job password) with only the EnvInject plugin.
Process in your job configuration,
> Build Environment > Inject passwords to the build as environment variables
Gregory- thanks for the explanation, but it doesn't work for me.
I tried to use 'Build Environment > Inject passwords to the build as environment variables' configuration, but the passwords are still displayed in plain text on the "Injected Environment Variables" page.
How can I hide them there? It's really a very important thing for us..
P.S.: they are masked on console page though.
P.P.S.: noticed that they are visible only when job is running. When the job is finished - that the password variable is displayed like a hash. Is it secure?
Natalia Naumova
added a comment - - edited Gregory- thanks for the explanation, but it doesn't work for me.
I tried to use 'Build Environment > Inject passwords to the build as environment variables' configuration, but the passwords are still displayed in plain text on the "Injected Environment Variables" page.
How can I hide them there? It's really a very important thing for us..
P.S.: they are masked on console page though.
P.P.S.: noticed that they are visible only when job is running. When the job is finished - that the password variable is displayed like a hash. Is it secure? Code changed in jenkins
User: Gregory Boissinot
Path:
src/main/resources/org/jenkinsci/plugins/envinject/EnvInjectVarList/index.jelly
http://jenkins-ci.org/commit/envinject-plugin/aa6061cd7880be3ba205249d3a7b2a66605280af
Log:
Fix JENKINS-12423 complement
No display environment variables when the job is building (enable to mask password)
Compare: https://github.com/jenkinsci/envinject-plugin/compare/4c3e2de...aa6061c
Gregory Boissinot
added a comment - You're right.
Environment variables were displayed when the job is running and password variables were not masked.
All env vars are hidden for now when the job is running.
It should fix your issue.
Then, displayed values are encrypted. The hash value displayed is an encrypted value.
Gregory Boissinot
added a comment - You're right.
Environment variables were displayed when the job is running and password variables were not masked.
All env vars are hidden for now when the job is running.
It should fix your issue.
Then, displayed values are encrypted. The hash value displayed is an encrypted value. Natalia Naumova
added a comment - Gregory, thank you very much for your quick help.
Looking forward to try it when the new version of the plugin will be released.
Natalia Naumova
added a comment - Gregory, thank you very much for your quick help.
Looking forward to try it when the new version of the plugin will be released. Gregory Boissinot
added a comment - It is already released.
Please upgrade to 1.52
http://maven.jenkins-ci.org:8081/content/repositories/releases/org/jenkins-ci/plugins/envinject/1.52/
Gregory Boissinot
added a comment - It is already released.
Please upgrade to 1.52
http://maven.jenkins-ci.org:8081/content/repositories/releases/org/jenkins-ci/plugins/envinject/1.52/ Running EnvInject 1.62 and Jenkins 1.473 and I'm still having an issue trying to get this to work. It seems that when using a parametrized build, the "password" type field is not being masked. If I use the masked password plugin the console output is correctly masked, but the unencrypted password ALWAYS shows on the Injected environment variables screen.
Walter Kacynski
added a comment - - edited Running EnvInject 1.62 and Jenkins 1.473 and I'm still having an issue trying to get this to work. It seems that when using a parametrized build, the "password" type field is not being masked. If I use the masked password plugin the console output is correctly masked, but the unencrypted password ALWAYS shows on the Injected environment variables screen. Gregory Boissinot
added a comment - @Walter
It seems you are using the maskpasswork plugin via a parameterized type.
This plugin is not compatible with EnvInject plugin.
Mak-password capabilities within EnvInject should be sufficient for your need.
You have to use Build Environment > Inject passwords to the build as environment variables
Gregory Boissinot
added a comment - @Walter
It seems you are using the maskpasswork plugin via a parameterized type.
This plugin is not compatible with EnvInject plugin.
Mak-password capabilities within EnvInject should be sufficient for your need.
You have to use Build Environment > Inject passwords to the build as environment variables Walter Kacynski
added a comment - I just want to clarify, I thought that a password parameter is from an Out-of-the-box Jenkins installation. I don't have the mask passwords plugin enabled.
Walter Kacynski
added a comment - I just want to clarify, I thought that a password parameter is from an Out-of-the-box Jenkins installation. I don't have the mask passwords plugin enabled. Gregory Boissinot
added a comment - If you don't use the maskpassword plugin, your comment is inappropriate in this issue.
Please make a new issue?
Thanks
Gregory Boissinot
added a comment - If you don't use the maskpassword plugin, your comment is inappropriate in this issue.
Please make a new issue?
Thanks Gregory Boissinot
added a comment - This issue with the mask-password plugin is fixed. Walter Kacynski
added a comment - Agreed, sorry for the confusion, I will give 1.65 a try. Walter Kacynski
added a comment - Version 1.65 is working as I would expect it. Thank-You! 
Code changed in jenkins
User: fchabanois
Path:
src/main/java/org/jenkinsci/plugins/envinject/service/EnvInjectVariableGetter.java
http://jenkins-ci.org/commit/envinject-plugin/617aa5ee13baea71c2dfe9c52a644e82dfba5d42
Log:
Fixed
JENKINS-12423