-
Bug
-
Resolution: Fixed
-
Critical
-
1.89 in 1.554.2
If you have a BuildWrapper which overrides makeSensitiveBuildVariables to specify that its additions are to be considered secret, then add an EnvInjectBuilder which adds some unrelated variables, injectedEnvVars.txt includes the sensitive variables (in plaintext) and /job/.../.../injectedEnvVars/ shows them as well.
- is blocking
-
-
- Resolved
-
- is related to
-
-
- Closed
-
-
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-23447] Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction
| Link |
New:
This issue is blocking |
Even more insidious than I originally thought: the problem occurs even if the job makes no mention of EnvInject. The plugin merely needs to be enabled.
Walter Kacynski
added a comment - Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You.
Walter Kacynski
added a comment - Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You. | Link |
New:
This issue is related to |
| Link |
New:
This issue is related to |
Steven Christou
added a comment - ndeloof solved it as part of d50c5a Steven Christou
made changes -
| Assignee | Original: Gregory Boissinot [ gbois ] | New: Nicolas De Loof [ ndeloof ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Code changed in jenkins
User: Nicolas De Loof
Path:
src/main/java/org/jenkinsci/lib/envinject/EnvInjectAction.java
http://jenkins-ci.org/commit/envinject-lib/e181ac473a9ea3d8b531ff0f061e7ca7071f7d87
Log:
JENKINS-23447 only mask sensible data when injectedEnvVars.txt is persisted or exposed on UI
For example install the Credentials Binding plugin (1.0 just released), create a global username/password credentials, then make a job binding those credentials to $AUTH, and add an EnvInject build step adding some other variable, and a shell step running env. Both variables will be set correctly, but injectedEnvVars will show AUTH=user:pass in cleartext despite build.getSensitiveBuildVariables().contains("AUTH").