-
Bug
-
Resolution: Fixed
-
Critical
-
None
When running a parameterized build of type Execute shell script on remote host using ssh, it logs in the console output all the parameters that are used in the script with their values. This is a problem with Password Parameter types, they should be hidden. This is a serious security issue, passwords must never be logged anywhere.
- is related to
-
JENKINS-23135 Option to disable echo of SSH command
-
- Open
-
[JENKINS-24913] SSH Plugin displays password parameter values unencrypted in log
Pietro Descombes
added a comment - Hi Daniel, sure, here is the config:
Build configuration
Include a build parameter of type Password 
Then add an Execute shell script on remote host using ssh build task. Inside the command block, call a shell script taking a argument. Use the parameter as argument.
Run the build
When running it using the Build with Parameters link, the task is successfully executed, but all the used parameters are printed out in the console output (as well as the script itself).
This would be fine for normal parameters, but it is a security issue for passwords, as they are to be kept secret!
Pietro Descombes
added a comment - Hi Daniel, sure, here is the config:
Build configuration
Include a build parameter of type Password
Then add an Execute shell script on remote host using ssh build task. Inside the command block, call a shell script taking a argument. Use the parameter as argument.
Run the build
When running it using the Build with Parameters link, the task is successfully executed, but all the used parameters are printed out in the console output (as well as the script itself).
This would be fine for normal parameters, but it is a security issue for passwords, as they are to be kept secret! Right, bug is around here:
https://github.com/jenkinsci/ssh-plugin/blob/master/src/main/java/org/jvnet/hudson/plugins/VariableReplacerUtil.java
It does not care whether environment variables are declared sensitive (AbstractBuild.getSensitiveBuildVariables()).
(Plus, contains() is a bit weak to determine whether a script references a given value.)
John Tatum
added a comment - https://github.com/jenkinsci/ssh-plugin/pull/14 has been created to address this issue. Pleast test and comment if able.
John Tatum
added a comment - https://github.com/jenkinsci/ssh-plugin/pull/14 has been created to address this issue. Pleast test and comment if able. Code changed in jenkins
User: johnny-b-goode
Path:
src/main/java/org/jvnet/hudson/plugins/SSHBuildWrapper.java
src/main/java/org/jvnet/hudson/plugins/SSHBuilder.java
src/main/java/org/jvnet/hudson/plugins/VariableReplacerUtil.java
http://jenkins-ci.org/commit/ssh-plugin/6aa9f1684b350d4643e8a95d4482bd446d6dc290
Log:
This commit addresses https://issues.jenkins-ci.org/browse/JENKINS-24913
Added a method to scrub the runtime command to VariableReplacerUtil.
Code changed in jenkins
User: Edmund Wagner
Path:
src/main/java/org/jvnet/hudson/plugins/SSHBuildWrapper.java
src/main/java/org/jvnet/hudson/plugins/SSHBuilder.java
src/main/java/org/jvnet/hudson/plugins/VariableReplacerUtil.java
http://jenkins-ci.org/commit/ssh-plugin/d1a2168224919d678419bd4194cd66201dbbbee8
Log:
Merge pull request #14 from johnny-b-goode/master
This commit addresses https://issues.jenkins-ci.org/browse/JENKINS-24913
Compare: https://github.com/jenkinsci/ssh-plugin/compare/f9f8fad47a54...d1a216822491
Recent 2.5 version of ssh-plugin contains fix provided by John Tatum, which takes sensitive build variables into account.
In case of any similar issue, please create a new ticket.
Could you explain how you configured the build step or build wrapper to include passwords?