[JENKINS-25821] Global Mask Password are visible as a plain text in Environment Variables tab - Jenkins Jira

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: envinject-plugin, mask-passwords-plugin
Labels:
None
Environment:
Jenkins version 1.591
Mask Password plugin version - 2.7.2
Environment Injector Plugin - 1.9

Similar Issues:

Show

Description

Global Mask password are visible as a plain text in Environment Variables tab.
You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.

Password which are passed to job as a Password parameter are coded in this tab.

Attachments

Issue Links

is related to

JENKINS-23630 Update to new environment variable APIs

Resolved

Activity

Ascending order - Click to sort in descending order

View 11 older comments

Matthew Struensee added a comment - 2015-08-12 10:56 - edited

Off-Topic Response:
Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.

When I do "Execute Windows batch command"
@echo off
echo MASKED_PASSWORD:%MASKED_PASSWORD%
echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt

I get this:
Jenkins console output -> MASKEDPASSWORD:********
File contents -> MASKEDPASSWORD:1234567890qwertyuiop

When I do "Invoke Gradle script"
class MaskedPasswords {
static void main(String[] args) {
println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
if(file.exists())

{ file.delete() }

file.withWriter('utf-8') {
it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
}
}
}

I get this:
Jenkins console output -> MASKED_PASSWORD: ********
File Contents -> MASKED_PASSWORD: ********

So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.

Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...

Matthew Struensee added a comment - 2015-08-12 10:56 - edited Off-Topic Response: Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin. When I do "Execute Windows batch command" @echo off echo MASKED_PASSWORD:%MASKED_PASSWORD% echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt I get this: Jenkins console output -> MASKEDPASSWORD:******** File contents -> MASKEDPASSWORD:1234567890qwertyuiop When I do "Invoke Gradle script" class MaskedPasswords { static void main(String[] args) { println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt") if(file.exists()) { file.delete() } file.withWriter('utf-8') { it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}" } } } I get this: Jenkins console output -> MASKED_PASSWORD: ******** File Contents -> MASKED_PASSWORD: ******** So using it via Groovy script gets the *'s vs 1234567890qwertyuiop. Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...

Matthew Struensee added a comment - 2015-08-17 12:38

Is this above the intended design?

Matthew Struensee added a comment - 2015-08-17 12:38 Is this above the intended design?

Matthew Struensee added a comment - 2015-08-24 19:06 - edited

I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.

Thanks.

Matthew Struensee added a comment - 2015-08-24 19:06 - edited I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you. Thanks.

Oleg Nenashev added a comment - 2015-08-24 19:11 - edited

@Matthew Struensee
I suppose the fix for ~~JENKINS-27382~~ solves your issue (envinject-1.92.1)

Oleg Nenashev added a comment - 2015-08-24 19:11 - edited @Matthew Struensee I suppose the fix for JENKINS-27382 solves your issue (envinject-1.92.1)

Matthew Struensee added a comment - 2015-08-24 22:03

Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

Matthew Struensee added a comment - 2015-08-24 22:03 Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!

Jenkins

Global Mask Password are visible as a plain text in Environment Variables tab

Details

Description

Attachments

Issue Links

Activity

People

Dates