Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
Jenkins version 1.591
Mask Password plugin version - 2.7.2
Environment Injector Plugin - 1.9
Description
Global Mask password are visible as a plain text in Environment Variables tab.
You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.
Password which are passed to job as a Password parameter are coded in this tab.
Attachments
Issue Links
- is related to
-
JENKINS-23630 Update to new environment variable APIs
-
- Resolved
-
Off-Topic Response:
Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.
When I do "Execute Windows batch command"
@echo off
echo MASKED_PASSWORD:%MASKED_PASSWORD%
echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt
I get this:
Jenkins console output -> MASKEDPASSWORD:********
File contents -> MASKEDPASSWORD:1234567890qwertyuiop
When I do "Invoke Gradle script"
{ file.delete() }class MaskedPasswords {
static void main(String[] args) {
println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
if(file.exists())
file.withWriter('utf-8') {
it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
}
}
}
I get this:
Jenkins console output -> MASKED_PASSWORD: ********
File Contents -> MASKED_PASSWORD: ********
So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.
Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...