Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: envinject-plugin, mask-passwords-plugin
-
Labels:None
-
Environment:Jenkins version 1.591
Mask Password plugin version - 2.7.2
Environment Injector Plugin - 1.9
-
Similar Issues:
Description
Global Mask password are visible as a plain text in Environment Variables tab.
You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.
Password which are passed to job as a Password parameter are coded in this tab.
Attachments
Issue Links
- is related to
-
-
- Resolved
-
Activity
Is this above the intended design?
Matthew Struensee
added a comment - Is this above the intended design? I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.
Thanks.
Matthew Struensee
added a comment - - edited I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.
Thanks. @Matthew Struensee
I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)
Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!
Matthew Struensee
added a comment - Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response! 
Off-Topic Response:
Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.
When I do "Execute Windows batch command"
@echo off
echo MASKED_PASSWORD:%MASKED_PASSWORD%
echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt
I get this:
Jenkins console output -> MASKEDPASSWORD:********
File contents -> MASKEDPASSWORD:1234567890qwertyuiop
When I do "Invoke Gradle script"
{ file.delete() }class MaskedPasswords {
static void main(String[] args) {
println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
if(file.exists())
file.withWriter('utf-8') {
it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
}
}
}
I get this:
Jenkins console output -> MASKED_PASSWORD: ********
File Contents -> MASKED_PASSWORD: ********
So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.
Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...