Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26421

Password masking is masking even string fields

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I tried to use masking plugin, but it's masking everything, not only the ones I used:

        Attachments

          Activity

          Hide
          marek_knappe Marek Knappe added a comment -

          2.7.2

          Show
          marek_knappe Marek Knappe added a comment - 2.7.2
          Hide
          danielbeck Daniel Beck added a comment -

          Cannot reproduce with a simple job with two parameters (String parameter GIT_USER, value 'foo'; Password parameter GIT_PASSWORD, value 'bar'), and running the `env` command.

          However, it seems that the plugin simply ignores the global settings for me. Even if I check the 'String parameter' in global config, GIT_USER=foo still gets shown.

          Show
          danielbeck Daniel Beck added a comment - Cannot reproduce with a simple job with two parameters (String parameter GIT_USER, value 'foo'; Password parameter GIT_PASSWORD, value 'bar'), and running the `env` command. However, it seems that the plugin simply ignores the global settings for me. Even if I check the 'String parameter' in global config, GIT_USER=foo still gets shown.
          Hide
          greghansen Greg Hansen added a comment - - edited

          I'm seeing this also. Jenkins 1.595, Mask Password plugin 2.7.2. It's masking string parameters, even simple numbers. See attachment. I've had to turn off password masking on all projects so I had a hope of reading the console logs. I can't disable the envinject plugin and get a build, so I can't tell you what the result is. I've also attached a screenshot of the result of disabling masking, which unfortunately also leaves passwords exposed.

          Show
          greghansen Greg Hansen added a comment - - edited I'm seeing this also. Jenkins 1.595, Mask Password plugin 2.7.2. It's masking string parameters, even simple numbers. See attachment. I've had to turn off password masking on all projects so I had a hope of reading the console logs. I can't disable the envinject plugin and get a build, so I can't tell you what the result is. I've also attached a screenshot of the result of disabling masking, which unfortunately also leaves passwords exposed.
          Hide
          leobq Leonardo Bianchi Quota added a comment - - edited

          I'm using Jenkins 2.58 with mask password plugin 2.10.1
          In "Manage Jenkins"\"Configure System", setting a pair Name/Password in "Mask Passwords - Global name/password pairs" with string password john it happens that every recurrence of it in my job console output, the string is hidden (i.e. http://john-server.domain becomes http://********-server.domain)

          Actually this behaviour can be useful. Since parameter "Sonar database password" injected as SONAR_JDBC_PASSWORD is in clear text, creating an equal pair as above, you can force it hidden.

          Show
          leobq Leonardo Bianchi Quota added a comment - - edited I'm using Jenkins 2.58 with mask password plugin 2.10.1 In "Manage Jenkins"\"Configure System", setting a pair Name/Password in "Mask Passwords - Global name/password pairs" with string password john it happens that every recurrence of it in my job console output, the string is hidden (i.e. http://john-server.domain becomes http://********-server.domain) Actually this behaviour can be useful. Since parameter "Sonar database password" injected as SONAR_JDBC_PASSWORD is in clear text, creating an equal pair as above, you can force it hidden.
          Hide
          danielbeck Daniel Beck added a comment -

          Leonardo Bianchi Quota Works as designed, Mask Passwords has absolutely no way of knowing whether what's printed to the build log is a password, and what's not. You tell it "mask every occurrence of this string in output", and it does.

          Use a "safe" password like tr0ub4dor&3 and it will never appear as anything but a password you want hidden.

          Show
          danielbeck Daniel Beck added a comment - Leonardo Bianchi Quota Works as designed, Mask Passwords has absolutely no way of knowing whether what's printed to the build log is a password, and what's not. You tell it "mask every occurrence of this string in output", and it does. Use a "safe" password like tr0ub4dor&3 and it will never appear as anything but a password you want hidden.

            People

            Assignee:
            danielpetisme Daniel Petisme
            Reporter:
            marek_knappe Marek Knappe
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: