-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Windows 7 Enterprise SP1 (x64)
Jenkins 1.450
EnvInject 1.20
Perforce 1.3.7
Mask Passwords 2.7.2
Originally reported as part of JENKINS-12423, I am reopening this as a separate defect at the author's request. My original defect report from that issue is as follows:
With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 2.7.2, the Perforce passwords are being displayed in plain text on the "Injected Environment Variables" page. I have tried setting the passwords to be masked in the global Jenkins config as well as in the individual jobs, but nothing I have tried is masking the passwords.
In the case of the Perforce passwords, the issue was happening before I installed the Mask Passwords plugin (I only installed that in an attempt to hide the passwords). It seems that perhaps the Perforce plugin (and plugins for other source control systems?) are exposing the passwords in a way that the EnvInject plugin doesn't know to look for. I'm not sure where the best place to fix this is, or what the optimal fix should be, as I am not familiar with the Jenkins codebase or the code for any of the relevant plugins. However, the quicker a solution can be implemented, the happier I will be 
. Thanks!
After updating to EnvInject 1.20, the Perforce password is still being exposed (P4PASSWD variable) on the "Injected Environment Variables" page available on the left menu on each build. I suspect that this may require changes to both the EnvInject plugin and the Perforce plugin.
[JENKINS-12747] Perforce Passwords are exposed by the EnvInject plugin
Mike Winters
added a comment - The only place I am providing the P4PASSWD is in the Password parameter of the "Depot" section of the "Source Code Management" configuration in the job(s). I have tried typing the password as standard plain text, and also referencing it as ${MyPassword} with the password key/value pair specified in the global settings of the Mask Password plugin. In both of these scenarios, the full password is exposed in the link that the EnvInject plugin adds to the left hand links when viewing a job build.
Mike Winters
added a comment - The only place I am providing the P4PASSWD is in the Password parameter of the "Depot" section of the "Source Code Management" configuration in the job(s). I have tried typing the password as standard plain text, and also referencing it as ${MyPassword} with the password key/value pair specified in the global settings of the Mask Password plugin. In both of these scenarios, the full password is exposed in the link that the EnvInject plugin adds to the left hand links when viewing a job build. Does it show up if you provide no password at all? I suspect you may have it set in your node's environment.
Either way, the EnvInject plugin should be honoring the Mask Passwords plugin, which according to JENKINS-12423 it does already?
Mike Winters
added a comment - The password does not show up if I do not provide a password in the job config, but this also prevents me from logging in to my source code management system and polling for changes. However, the following "environment variables" are still exposed on the "Injected Environment Variables" page: P4CHARSET, P4CLIENT, P4PORT, P4USER. Of these, only P4CHARSET is actually defined as an environment variable in the operating system. The rest are coming from Jenkins or its plugins.
Mike Winters
added a comment - The password does not show up if I do not provide a password in the job config, but this also prevents me from logging in to my source code management system and polling for changes. However, the following "environment variables" are still exposed on the "Injected Environment Variables" page: P4CHARSET, P4CLIENT, P4PORT, P4USER. Of these, only P4CHARSET is actually defined as an environment variable in the operating system. The rest are coming from Jenkins or its plugins. I'm unable to reproduce this... If I uncheck the "Expose P4PASSWD in environment" option, it does not show up in the "Injected Environment variables" screen on subsequent builds. This is using envinject 1.20, perforce plugin 1.3.7, and jenkins 1.450.
In any case, there doesn't seem to be anything I can do from my end to 'tell' the EnvInject plugin that the environment variable should be kept secret. Instead I believe that the EnvInject plugin should operate similar to the Mask Passwords plugin.
For example, if a value is defined as secret (either through the mask passwords plugin or some other method) then the EnvInject plugin should mask ALL occurrences of that secret when displaying the environment variables, NOT just the values for the keys/properties in which they are defined.
Mike Winters
added a comment - I'm sorry that you're unable to reproduce the issue, but I've consistently been able to reproduce it with new jobs. I have also tried rolling back and reinstalling the EnvInject plugin, with no change in the results. If a solution can't be found, my only option will be to remove the EnvInject plugin, because I can't continue to let it expose passwords the way it is doing now. I don't want to go that route, as it will make some other configuration settings more difficult.
Mike Winters
added a comment - I'm sorry that you're unable to reproduce the issue, but I've consistently been able to reproduce it with new jobs. I have also tried rolling back and reinstalling the EnvInject plugin, with no change in the results. If a solution can't be found, my only option will be to remove the EnvInject plugin, because I can't continue to let it expose passwords the way it is doing now. I don't want to go that route, as it will make some other configuration settings more difficult. Mike Winters
added a comment - On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those.
Mike Winters
added a comment - On further investigation, it appears that the password that the EnvInject 1.20 plugin is exposing is NOT coming from the Perforce plugin, but from the global password defined with the Mask Password plugin (Jenkins->Manage Jenkins->Configure System->Mask Passwords - Global name/password pairs). The Perforce plugin/EnvInject plugin are still showing P4CLIENT, P4PORT, and P4USER, but I'm not too worried about exposing those. Mike Winters
added a comment - I'm closing this defect and re-opening JENKINS-12423. Thanks for helping me to investigate this issue.
Mike Winters
added a comment - I'm closing this defect and re-opening JENKINS-12423 . Thanks for helping me to investigate this issue. 
I'm not entirely sure how that's possible. When that option is unchecked, the P4PASSWD environment variable isn't provided to anything but the launcher used to execute P4 commands. EnvInject shouldn't be able to read it at all in that instance.
Are you providing P4PASSWD as a build parameter or through envinject?