-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Jenkins version 1.591
Mask Password plugin version - 2.7.2
Environment Injector Plugin - 1.9
Global Mask password are visible as a plain text in Environment Variables tab.
You need to go job then click on specific build and on the left menu there is Environment Variables tab. Inside this table the mask passowrd can be read as a plain text.
Password which are passed to job as a Password parameter are coded in this tab.
- is related to
-
-
- Resolved
-
[JENKINS-25821] Global Mask Password are visible as a plain text in Environment Variables tab
During my testing, I was using the Mask Password plugin to mask my passwords, which I used inside a pipeline that was passed to a groovy script via environment variables. Inside the groovy script it creates IIS Application Pools (Identity) and Windows Services (Log On As). Previously (2.7.3) it was working perfectly fine, even though you could see the passwords in Environment Variables summary of the job; but now when I execute it with 2.7.4 update, all services fail to log on due to invalid credentials, and all application pools fail to start due to invalid credentials. From what I tested, I think its getting the ****** as its actual value vs the actual value of the text. Has anyone else encountered this?
Matthew Struensee
added a comment - - edited During my testing, I was using the Mask Password plugin to mask my passwords, which I used inside a pipeline that was passed to a groovy script via environment variables. Inside the groovy script it creates IIS Application Pools (Identity) and Windows Services (Log On As). Previously (2.7.3) it was working perfectly fine, even though you could see the passwords in Environment Variables summary of the job; but now when I execute it with 2.7.4 update, all services fail to log on due to invalid credentials, and all application pools fail to start due to invalid credentials. From what I tested, I think its getting the ****** as its actual value vs the actual value of the text. Has anyone else encountered this? betaprogrammers_mstruensee, could you provide a groovy script you use? We need to determine if it is an API misusage or a regression introduced by the change.
Matthew Struensee
added a comment - class Test(
def name = ''
def user = ''
def password = System.getenv().get('password')
def command = "appcmd set AppPool \"$name\" -processModel.identityType:SpecificUser -processModel.userName:\"$user\" -processModel.password:\"$password\""
def output = new ByteArrayOutputStream()
println command
def process = "cmd /c $command".execute()
process.waitForProcessOutput output, output
)
The command is executed successfully but the $password variable seems to be incorrect. But no code has changed from 2.7.3 to 2.7.4.
Matthew Struensee
added a comment - class Test(
def name = ''
def user = ''
def password = System.getenv().get('password')
def command = "appcmd set AppPool \"$name\" -processModel.identityType:SpecificUser -processModel.userName:\"$user\" -processModel.password:\"$password\""
def output = new ByteArrayOutputStream()
println command
def process = "cmd /c $command".execute()
process.waitForProcessOutput output, output
)
The command is executed successfully but the $password variable seems to be incorrect. But no code has changed from 2.7.3 to 2.7.4. It's possible to check the password correctness by printing it to a workspace file. I don't see a code affecting the behavior. Could you verify the password provisioning using such trick?
Off-topic:
System.getenv() is not supposed to provide passwords specified in Mask Passwords, seems you're passing the password as an environment variable to Jenkins. This approach is unsecure, because anybody can dump the password to the file and the get it in a plain text.
Off-Topic Response:
Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.
When I do "Execute Windows batch command"
@echo off
echo MASKED_PASSWORD:%MASKED_PASSWORD%
echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt
I get this:
Jenkins console output -> MASKEDPASSWORD:********
File contents -> MASKEDPASSWORD:1234567890qwertyuiop
When I do "Invoke Gradle script"
class MaskedPasswords {
static void main(String[] args) {
println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
if(file.exists())
file.withWriter('utf-8') {
it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
}
}
}
I get this:
Jenkins console output -> MASKED_PASSWORD: ********
File Contents -> MASKED_PASSWORD: ********
So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.
Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s...
Matthew Struensee
added a comment - - edited Off-Topic Response:
Yes I know, that is how it was trying to test this. This also works like this for the Credentials Plugin.
When I do "Execute Windows batch command"
@echo off
echo MASKED_PASSWORD:%MASKED_PASSWORD%
echo MASKED_PASSWORD:%MASKED_PASSWORD%>%WORKSPACE%/MASKED_PASSWORD_CMD.txt
I get this:
Jenkins console output -> MASKEDPASSWORD:********
File contents -> MASKEDPASSWORD:1234567890qwertyuiop
When I do "Invoke Gradle script"
class MaskedPasswords {
static void main(String[] args) {
println "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
def file = new File("${System.getenv().get('WORKSPACE')}/MASKED_PASSWORD.txt")
if(file.exists())
{ file.delete() }
file.withWriter('utf-8') {
it.writeLine "MASKED_PASSWORD: ${System.getenv().get('MASKED_PASSWORD')}"
}
}
}
I get this:
Jenkins console output -> MASKED_PASSWORD: ********
File Contents -> MASKED_PASSWORD: ********
So using it via Groovy script gets the *'s vs 1234567890qwertyuiop.
Edit: When I pass it as args via build.gradle -> main args the ******* is translated into the dir command and my args turns into all files/folder names in the workspace vs just a string that contains 8 *'s... Matthew Struensee
added a comment - Is this above the intended design? I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.
Thanks.
Matthew Struensee
added a comment - - edited I don't want to sound annoying or anything but I am curious if you plan to make a change to solve this issue or if this is the intended design. We currently have a lot of pipelines with passwords exposed and would like to know if we need to redesign our pipelines/scripts or if we can wait for a fix from you.
Thanks. Matthew Struensee
added a comment - Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response!
Matthew Struensee
added a comment - Thank you. I ran some tests on a local dev Jenkins and everything seems to be working as expected. I will do final tests at work tomorrow for the dev pipelines there. Thank you for the quick response! 
Marking as resolved (released in 2.7.4)