-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
windows
When an accurev command fails, it displays the users' password in plain text. You can see below that the password is properly obscured (with asterisks) when the authentication takes place.
Unfortunately, the password is actually displayed in the fatal network error line. Note that I manually changed it to ^^^^ when I pasted the text into this bug report.
Error text:
Started by user anonymous
Building remotely on TestReport in workspace D:\jenkins-slave\workspace\Test_Report_06_04_00_Budgeting_kvh223_WFOP_Macys_ora
Purging workspace...
Workspace purged.
Setting ACCUREV_HOME to "D:\jenkins-slave\workspace"
Authenticating with Accurev server...
[Test_Report_06_04_00_Budgeting_kvh223_WFOP_Macys_ora] $ "C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H engaccurev:5051 tim.johnston ********
FATAL: network error - Can't connect to engaccurev.kronos.com for accurev: The operation completed successfully.
Attempt to contact AccuRev server on engaccurev port 5051 failed.
Giving up.
AccuRev Error: 1
FATAL: login ("C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H engaccurev:5051 tim.johnston ^^^^^^^) failed with exit code 1
Archiving artifacts
Recording test results
Notifying upstream projects of job completion
Finished: FAILURE
[JENKINS-13817] Jenkins Displays Accurev Password in Logs
Code changed in jenkins
User: Joseph
Path:
src/main/java/hudson/plugins/accurev/AccurevLauncher.java
src/main/java/hudson/plugins/accurev/AccurevPlugin.java
src/main/java/hudson/plugins/accurev/AccurevSCM.java
src/main/java/hudson/plugins/accurev/AccurevStream.java
src/main/java/hudson/plugins/accurev/AccurevTransaction.java
src/main/java/hudson/plugins/accurev/ParseChangeLog.java
src/main/java/hudson/plugins/accurev/UUIDUtils.java
src/main/java/hudson/plugins/accurev/cmd/Login.java
src/main/java/hudson/plugins/accurev/cmd/PopulateCmd.java
src/main/java/hudson/plugins/accurev/cmd/ShowStreams.java
src/main/java/hudson/plugins/accurev/delegates/AbstractModeDelegate.java
src/main/java/hudson/plugins/accurev/delegates/ReftreeDelegate.java
src/main/java/hudson/plugins/accurev/delegates/SnapshotDelegate.java
src/main/java/hudson/plugins/accurev/delegates/WorkspaceDelegate.java
src/main/java/hudson/plugins/accurev/parsers/xml/ParseShowStreams.java
src/main/java/hudson/plugins/jetty/security/Password.java
src/main/resources/hudson/plugins/accurev/AccurevSCM/config.jelly
src/main/resources/hudson/plugins/accurev/AccurevSCM/global.jelly
http://jenkins-ci.org/commit/accurev-plugin/b8296bb9c55c924f48c91356fe9ba7d9e35d4298
Log:
Merged PR #28 from casz/master
JENKINS-28118Fixed poll on ancestor
Poll failed searching in parents when “Show one stream at a time” was
checked.
Fixed regression in PR #25
- Improved logic for Workspace
Was not working with “One stream at a time” settings.
- Fixed Change log on Ignore Parent
getChangesFromStreams did not respect Ignore Stream Parent.
- Fixed getStreamRules.
IgnoreStreamParent should be the first to be considered, then One
Stream at a time on server, then find all streams.
JENKINS-31316Fixed server rename
Introduced unique identifiers, also added a migrator to ensure best
compatibility moving forward.
- Fixed backwards compatibility
Made the Server UUID change fully backwards compatibility :tada:
JENKINS-13817Mask the damn password already
I cannot believe this has been open since 2012...
- StringUtils used
- Allow empty password even with OBF
- Javadoc and removed unused migrate field
JENKINS-24710filter out dispatch transactions
These usually originate from accurev sync.
- PR #24 fix PollOnMaster enabled when build using workspace
builds that use workspace or reftree definitely requires workspace even
if PollOnMaster enabled.
This should be fixed in latest version, if they start to reappear. Please reopen.
I too have found this password unmasked in the emails that are sent. I've never used GitHub, so I don't know if this is something I can look for, and submit a but fix too, but I wanted to add where I was seeing this issue.
We had a network connectivity issue, and when it sent an email that the build failed it included the command that was executed twice. The first time it masked the password.
Authenticating with Accurev server...
[workspace] $ "C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon ********
Then at the bottom of the email it dumped out the full command with the password unmasked.
FATAL: login ("C:\Program Files (x86)\AccuRev\bin\accurev.exe" login -H ACCUREVSERVERNAME:5050 dsimmon UNMASKEDPASSWORDWASDISPLAYEDHERE) failed with exit code 1