Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22942

Job Import Plugin: Password field is cleartext

XMLWordPrintable

      Job import plugin has the "Passwor/API key" in cleartext. Contents of this field are stored on the server so anyone can see the password of the user that previously imported jobs via the plugin.

      I understand that API keys are preferred to be in cleartext. So ideal solution may be to split this into two separate fields: Password that will be a real password field (with obscured input) and API key that will show the key in cleartext.

          [JENKINS-22942] Job Import Plugin: Password field is cleartext

          Alexandre Aubert added a comment -

          it's indeed really sad to display password as cleartext on 'import settings' page

          Alexandre Aubert added a comment - it's indeed really sad to display password as cleartext on 'import settings' page

          Sagayaraj David added a comment - - edited

          If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import, he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

          Sagayaraj David added a comment - - edited If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import , he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

          gerhard6 added a comment -

          fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented.....

          Anyone here to fix this as suggested by David ?

          gerhard6 added a comment - fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented..... Anyone here to fix this as suggested by David ?

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly
          http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b
          Log:
          Merge pull request #10 from qais-yousef/1.3-fix

          JENKINS-33379 JENKINS-22942 missing values inside textboxes

          Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b Log: Merge pull request #10 from qais-yousef/1.3-fix JENKINS-33379 JENKINS-22942 missing values inside textboxes Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

          Emilio Escobar added a comment -

          Fixed in 1.3.1

          Emilio Escobar added a comment - Fixed in 1.3.1

            escoem Emilio Escobar
            paweldefee Pawel Defee
            Votes:
            7 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: