[JENKINS-23447] Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Component/s: envinject-plugin
Labels:
- mask-passwords
- security
Environment:
1.89 in 1.554.2

Similar Issues:

Show

Description

If you have a BuildWrapper which overrides makeSensitiveBuildVariables to specify that its additions are to be considered secret, then add an EnvInjectBuilder which adds some unrelated variables, injectedEnvVars.txt includes the sensitive variables (in plaintext) and /job/.../.../injectedEnvVars/ shows them as well.

Attachments

Issue Links

is blocking

JENKINS-23630 Update to new environment variable APIs

Resolved

is related to

JENKINS-12423 Password masked by Mask Passwords are visible when using envinject plugin

Closed

JENKINS-4428 MavenProbeAction exposes password parameters

Resolved

JENKINS-24287 EnvInject exposes password hashes

Resolved

Activity

Ascending order - Click to sort in descending order

Jesse Glick created issue - 2014-06-16 14:03

Jesse Glick added a comment - 2014-06-16 15:15

For example install the Credentials Binding plugin (1.0 just released), create a global username/password credentials, then make a job binding those credentials to $AUTH, and add an EnvInject build step adding some other variable, and a shell step running env. Both variables will be set correctly, but injectedEnvVars will show AUTH=user:pass in cleartext despite build.getSensitiveBuildVariables().contains("AUTH").

Jesse Glick added a comment - 2014-06-16 15:15 For example install the Credentials Binding plugin (1.0 just released), create a global username/password credentials, then make a job binding those credentials to $AUTH , and add an EnvInject build step adding some other variable, and a shell step running env . Both variables will be set correctly, but injectedEnvVars will show AUTH=user:pass in cleartext despite build.getSensitiveBuildVariables().contains("AUTH") .

Jesse Glick made changes - 2014-06-30 18:59

Field	Original Value	New Value
Link		This issue is blocking ~~JENKINS-23630~~ [ ~~JENKINS-23630~~ ]

Jesse Glick added a comment - 2014-06-30 19:00

Even more insidious than I originally thought: the problem occurs even if the job makes no mention of EnvInject. The plugin merely needs to be enabled.

Jesse Glick added a comment - 2014-06-30 19:00 Even more insidious than I originally thought: the problem occurs even if the job makes no mention of EnvInject. The plugin merely needs to be enabled.

Walter Kacynski added a comment - 2014-07-09 12:39

Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You.

Walter Kacynski added a comment - 2014-07-09 12:39 Do you have any indication of how long it would take to correct this? We have a number or projects that are held up waiting for this vulnerability to be corrected. Thank-You.

Jesse Glick made changes - 2014-09-17 16:27

Link

This issue is related to ~~JENKINS-24287~~ [ ~~JENKINS-24287~~ ]

Jesse Glick made changes - 2014-09-23 18:15

Link

This issue is related to ~~JENKINS-4428~~ [ ~~JENKINS-4428~~ ]

Steven Christou added a comment - 2014-12-12 21:42

ndeloof solved it as part of d50c5a

Steven Christou added a comment - 2014-12-12 21:42 ndeloof solved it as part of d50c5a

Steven Christou made changes - 2014-12-12 21:42

Assignee	Gregory Boissinot [ gbois ]	Nicolas De Loof [ ndeloof ]
Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Resolved [ 5 ]

SCM/JIRA link daemon added a comment - 2014-12-17 17:24

Code changed in jenkins
User: Nicolas De Loof
Path:
src/main/java/org/jenkinsci/lib/envinject/EnvInjectAction.java
http://jenkins-ci.org/commit/envinject-lib/e181ac473a9ea3d8b531ff0f061e7ca7071f7d87
Log:
~~JENKINS-23447~~ only mask sensible data when injectedEnvVars.txt is persisted or exposed on UI

SCM/JIRA link daemon added a comment - 2014-12-17 17:24 Code changed in jenkins User: Nicolas De Loof Path: src/main/java/org/jenkinsci/lib/envinject/EnvInjectAction.java http://jenkins-ci.org/commit/envinject-lib/e181ac473a9ea3d8b531ff0f061e7ca7071f7d87 Log: JENKINS-23447 only mask sensible data when injectedEnvVars.txt is persisted or exposed on UI

SCM/JIRA link daemon added a comment - 2014-12-17 17:24

Code changed in jenkins
User: Nicolas De Loof
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectAction.java
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java
http://jenkins-ci.org/commit/envinject-plugin/d3e2b61c7e858a6f34ec17a40a575e1a82d1274f
Log:
~~JENKINS-23447~~ only mask sensible data when displayed on UI or persisted on disk

SCM/JIRA link daemon added a comment - 2014-12-17 17:24 Code changed in jenkins User: Nicolas De Loof Path: pom.xml src/main/java/org/jenkinsci/plugins/envinject/EnvInjectAction.java src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/d3e2b61c7e858a6f34ec17a40a575e1a82d1274f Log: JENKINS-23447 only mask sensible data when displayed on UI or persisted on disk

Denis Shvedchenko added a comment - 2015-03-09 14:55

if project does not have Sensitive variables, it raises NPE on

ERROR: Failed to record SCM polling for hudson.model.FreeStyleProject@105707ef[*************]
java.lang.NullPointerException
at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:25)
at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:23)

Denis Shvedchenko added a comment - 2015-03-09 14:55 if project does not have Sensitive variables, it raises NPE on ERROR: Failed to record SCM polling for hudson.model.FreeStyleProject@105707ef [*************] java.lang.NullPointerException at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:25) at org.jenkinsci.plugins.envinject.EnvInjectPluginAction$1.transformEntry(EnvInjectPluginAction.java:23)

SCM/JIRA link daemon added a comment - 2015-03-09 20:37

Code changed in jenkins
User: Gregory Boissinot
Path:
src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java
http://jenkins-ci.org/commit/envinject-plugin/65f2715af6445d217e5df8a24bbd179f7841403f
Log:
Merge pull request #40 from dshvedchenko/master

~~JENKINS-23447~~ related , avoid NPE if there are no getSensibleVariables()

Compare: https://github.com/jenkinsci/envinject-plugin/compare/db0d1ef23baf...65f2715af644

SCM/JIRA link daemon added a comment - 2015-03-09 20:37 Code changed in jenkins User: Gregory Boissinot Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/65f2715af6445d217e5df8a24bbd179f7841403f Log: Merge pull request #40 from dshvedchenko/master JENKINS-23447 related , avoid NPE if there are no getSensibleVariables() Compare: https://github.com/jenkinsci/envinject-plugin/compare/db0d1ef23baf...65f2715af644

Oleg Nenashev made changes - 2015-03-11 16:15

Link

This issue is related to ~~JENKINS-27363~~ [ ~~JENKINS-27363~~ ]

Oleg Nenashev made changes - 2015-03-11 16:52

Link

This issue is related to ~~JENKINS-27363~~ [ ~~JENKINS-27363~~ ]

Jesse Glick made changes - 2015-07-28 17:21

Link

This issue is related to ~~JENKINS-12423~~ [ ~~JENKINS-12423~~ ]

R. Tyler Croy made changes - 2016-07-25 23:56

Workflow

JNJira [ 156075 ]

JNJira + In-Review [ 195334 ]

People

Assignee:: Nicolas De Loof

Reporter:: Jesse Glick

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2014-06-16 14:03

Updated:: 2015-07-28 17:21

Resolved:: 2014-12-12 21:42