Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25821

Global Mask Password are visible as a plain text in Environment Variables tab

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • Jenkins version 1.591
      Mask Password plugin version - 2.7.2
      Environment Injector Plugin - 1.9

    Description

      Global Mask password are visible as a plain text in Environment Variables tab.
      You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.

      Password which are passed to job as a Password parameter are coded in this tab.

      Attachments

        Issue Links

          Activity

            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited

            Off-Topic Response:
            Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.

            When I do "Execute Windows batch command"
            @echo off
            echo MASKED_PASSWORD:%MASKED_PASSWORD%
            echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt

            I get this:
            Jenkins console output -> MASKEDPASSWORD:********
            File contents -> MASKEDPASSWORD:1234567890qwertyuiop

            When I do "Invoke Gradle script"
            class MaskedPasswords {
            static void main(String[] args) {
            println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
            def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
            if(file.exists())

            { file.delete() }

            file.withWriter('utf-8') {
            it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
            }
            }
            }

            I get this:
            Jenkins console output -> MASKED_PASSWORD: ********
            File Contents -> MASKED_PASSWORD: ********

            So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.

            Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...

            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited Off-Topic Response: Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin. When I do "Execute Windows batch command" @echo off echo MASKED_PASSWORD:%MASKED_PASSWORD% echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt I get this: Jenkins console output -> MASKEDPASSWORD:******** File contents -> MASKEDPASSWORD:1234567890qwertyuiop When I do "Invoke Gradle script" class MaskedPasswords { static void main(String[] args) { println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt") if(file.exists()) { file.delete() } file.withWriter('utf-8') { it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" } } } I get this: Jenkins console output -> MASKED_PASSWORD: ******** File Contents -> MASKED_PASSWORD: ******** So using it via Groovy script gets the *'s vs 1234567890qwertyuiop. Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...

            Is this above the intended design?

            betaprogrammers_mstruensee Matthew Struensee added a comment - Is this above the intended design?
            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited

            I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.

            Thanks.

            betaprogrammers_mstruensee Matthew Struensee added a comment - - edited I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you. Thanks.
            oleg_nenashev Oleg Nenashev added a comment - - edited

            @Matthew Struensee
            I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)

            oleg_nenashev Oleg Nenashev added a comment - - edited @Matthew Struensee I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)

            Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

            betaprogrammers_mstruensee Matthew Struensee added a comment - Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

            People

              gbois Gregory Boissinot
              trwandrzej Andrzej Obstoj
              Votes:
              8 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: