Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22942

Job Import Plugin: Password field is cleartext

    XMLWordPrintable

Details

    Description

      Job import plugin has the "Passwor/API key" in cleartext. Contents of this field are stored on the server so anyone can see the password of the user that previously imported jobs via the plugin.

      I understand that API keys are preferred to be in cleartext. So ideal solution may be to split this into two separate fields: Password that will be a real password field (with obscured input) and API key that will show the key in cleartext.

      Attachments

        Issue Links

          Activity

            it's indeed really sad to display password as cleartext on 'import settings' page

            splashnenen Alexandre Aubert added a comment - it's indeed really sad to display password as cleartext on 'import settings' page
            sagayd Sagayaraj David added a comment - - edited

            If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import, he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

            sagayd Sagayaraj David added a comment - - edited If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import , he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea
            gerhard6 gerhard6 added a comment -

            fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented.....

            Anyone here to fix this as suggested by David ?

            gerhard6 gerhard6 added a comment - fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented..... Anyone here to fix this as suggested by David ?

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly
            http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b
            Log:
            Merge pull request #10 from qais-yousef/1.3-fix

            JENKINS-33379 JENKINS-22942 missing values inside textboxes

            Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b Log: Merge pull request #10 from qais-yousef/1.3-fix JENKINS-33379 JENKINS-22942 missing values inside textboxes Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

            Fixed in 1.3.1

            escoem Emilio Escobar added a comment - Fixed in 1.3.1

            People

              escoem Emilio Escobar
              paweldefee Pawel Defee
              Votes:
              7 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: