[JENKINS-22942] Job Import Plugin: Password field is cleartext - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Blocker
Resolution: Fixed
Component/s: job-import-plugin
Labels:
- security
Environment:
RHEL6

Similar Issues:

Show

Description

Job import plugin has the "Passwor/API key" in cleartext. Contents of this field are stored on the server so anyone can see the password of the user that previously imported jobs via the plugin.

I understand that API keys are preferred to be in cleartext. So ideal solution may be to split this into two separate fields: Password that will be a real password field (with obscured input) and API key that will show the key in cleartext.

Attachments

Issue Links

is duplicated by

JENKINS-33307 Password not Masked when Importing from Secured Jenkins Instance

Resolved

links to

Activity

Ascending order - Click to sort in descending order

Alexandre Aubert added a comment - 2015-07-29 07:09

it's indeed really sad to display password as cleartext on 'import settings' page

Alexandre Aubert added a comment - 2015-07-29 07:09 it's indeed really sad to display password as cleartext on 'import settings' page

Sagayaraj David added a comment - 2015-08-21 05:37 - edited

If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import, he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

Sagayaraj David added a comment - 2015-08-21 05:37 - edited If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import , he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

gerhard6 added a comment - 2015-10-09 06:00

fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented.....

Anyone here to fix this as suggested by David ?

gerhard6 added a comment - 2015-10-09 06:00 fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented..... Anyone here to fix this as suggested by David ?

SCM/JIRA link daemon added a comment - 2016-04-01 09:18

Code changed in jenkins
User: Emilio Escobar
Path:
src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly
http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b
Log:
Merge pull request #10 from qais-yousef/1.3-fix

~~JENKINS-33379~~ ~~JENKINS-22942~~ missing values inside textboxes

Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

SCM/JIRA link daemon added a comment - 2016-04-01 09:18 Code changed in jenkins User: Emilio Escobar Path: src/main/resources/org/jenkins/ci/plugins/jobimport/JobImportAction/index.jelly http://jenkins-ci.org/commit/job-import-plugin/d3331c650b79e2aac6fc129ac9f044406ad5112b Log: Merge pull request #10 from qais-yousef/1.3-fix JENKINS-33379 JENKINS-22942 missing values inside textboxes Compare: https://github.com/jenkinsci/job-import-plugin/compare/868e0cca7ed4...d3331c650b79

Emilio Escobar added a comment - 2016-04-01 10:00

Fixed in 1.3.1

Emilio Escobar added a comment - 2016-04-01 10:00 Fixed in 1.3.1

People

Assignee:: Emilio Escobar

Reporter:: Pawel Defee

Votes:: 7 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 2014-05-09 08:04

Updated:: 2016-04-01 10:00

Resolved:: 2016-04-01 10:00