Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23447

Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      If you have a BuildWrapper which overrides makeSensitiveBuildVariables to specify that its additions are to be considered secret, then add an EnvInjectBuilder which adds some unrelated variables, injectedEnvVars.txt includes the sensitive variables (in plaintext) and /job/.../.../injectedEnvVars/ shows them as well.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            Hide
            jglick Jesse Glick added a comment -

            For example install the Credentials Binding plugin (1.0 just released), create a global username/password credentials, then make a job binding those credentials to $AUTH, and add an EnvInject build step adding some other variable, and a shell step running env. Both variables will be set correctly, but injectedEnvVars will show AUTH=user:pass in cleartext despite build.getSensitiveBuildVariables().contains("AUTH").

            Show
            jglick Jesse Glick added a comment - For example install the Credentials Binding plugin (1.0 just released), create a global username/password credentials, then make a job binding those credentials to $AUTH , and add an EnvInject build step adding some other variable, and a shell step running env . Both variables will be set correctly, but injectedEnvVars will show AUTH=user:pass in cleartext despite build.getSensitiveBuildVariables().contains("AUTH") .
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is blocking JENKINS-23630 [ JENKINS-23630 ]
            Hide
            jglick Jesse Glick added a comment -

            Even more insidious than I originally thought: the problem occurs even if the job makes no mention of EnvInject. The plugin merely needs to be enabled.

            Show
            jglick Jesse Glick added a comment - Even more insidious than I originally thought: the problem occurs even if the job makes no mention of EnvInject. The plugin merely needs to be enabled.
            Hide
            walterk82 Walter Kacynski added a comment -

            Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You.

            Show
            walterk82 Walter Kacynski added a comment - Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-24287 [ JENKINS-24287 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-4428 [ JENKINS-4428 ]
            Hide
            schristou Steven Christou added a comment -

            Nicolas De Loof solved it as part of d50c5a

            Show
            schristou Steven Christou added a comment - Nicolas De Loof solved it as part of d50c5a
            schristou Steven Christou made changes -
            Assignee Gregory Boissinot [ gbois ] Nicolas De Loof [ ndeloof ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Nicolas De Loof
            Path:
            src/main/java/org/jenkinsci/lib/envinject/EnvInjectAction.java
            http://jenkins-ci.org/commit/envinject-lib/e181ac473a9ea3d8b531ff0f061e7ca7071f7d87
            Log:
            JENKINS-23447 only mask sensible data when injectedEnvVars.txt is persisted or exposed on UI

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: src/main/java/org/jenkinsci/lib/envinject/EnvInjectAction.java http://jenkins-ci.org/commit/envinject-lib/e181ac473a9ea3d8b531ff0f061e7ca7071f7d87 Log: JENKINS-23447 only mask sensible data when injectedEnvVars.txt is persisted or exposed on UI
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Nicolas De Loof
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectAction.java
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java
            http://jenkins-ci.org/commit/envinject-plugin/d3e2b61c7e858a6f34ec17a40a575e1a82d1274f
            Log:
            JENKINS-23447 only mask sensible data when displayed on UI or persisted on disk

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: pom.xml src/main/java/org/jenkinsci/plugins/envinject/EnvInjectAction.java src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/d3e2b61c7e858a6f34ec17a40a575e1a82d1274f Log: JENKINS-23447 only mask sensible data when displayed on UI or persisted on disk
            Hide
            dshvedchenko Denis Shvedchenko added a comment -

            if project does not have Sensitive variables, it raises NPE on

            ERROR: Failed to record SCM polling for hudson.model.FreeStyleProject@105707ef[*************]
            java.lang.NullPointerException
            at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:25)
            at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:23)

            Show
            dshvedchenko Denis Shvedchenko added a comment - if project does not have Sensitive variables, it raises NPE on ERROR: Failed to record SCM polling for hudson.model.FreeStyleProject@105707ef [*************] java.lang.NullPointerException at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:25) at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:23)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gregory Boissinot
            Path:
            src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java
            http://jenkins-ci.org/commit/envinject-plugin/65f2715af6445d217e5df8a24bbd179f7841403f
            Log:
            Merge pull request #40 from dshvedchenko/master

            JENKINS-23447 related , avoid NPE if there are no getSensibleVariables()

            Compare: https://github.com/jenkinsci/envinject-plugin/compare/db0d1ef23baf...65f2715af644

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gregory Boissinot Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/65f2715af6445d217e5df8a24bbd179f7841403f Log: Merge pull request #40 from dshvedchenko/master JENKINS-23447 related , avoid NPE if there are no getSensibleVariables() Compare: https://github.com/jenkinsci/envinject-plugin/compare/db0d1ef23baf...65f2715af644
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-27363 [ JENKINS-27363 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-27363 [ JENKINS-27363 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-12423 [ JENKINS-12423 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 156075 ] JNJira + In-Review [ 195334 ]

              People

              Assignee:
              ndeloof Nicolas De Loof
              Reporter:
              jglick Jesse Glick
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: