Christopher Miller added a comment - 2015-08-07 15:13 We just upgraded from 1.90 to 1.94 and the problem cropped up. Going to rollback to 1.90. This makes the sensitive variable functionality useless outside of the Execute Shell step. The password is passed as **** to all other plugins that make use of the EnvVars object.

Steven Christou added a comment - 2015-08-20 05:58 I believe this is a regression from commit d50c5 . I did a git checkout for each commit between 1.90, and 1.91, and found this commit to inject the * characters.

Manuel Recena Soto added a comment - 2015-08-20 13:54 - edited mbtc I've tried to reproduce the bug in this environment: Jenkins ver. 1.532.3, Gradle Plugin 1.24 and EnvInject Plugin 1.92 (latest release). With this build.gradle and Gradle 2.5: task showGlobalEnv << { println 'Test match:' + ( System .env.TEST_ENV == 'T123' ) System .env.TEST_ENV.each { println it } } I get this result: recena@andromeda:~/projects/gradle-helloworld$ gradle -b build.gradle showGlobalEnv :showGlobalEnv Test match: false BUILD SUCCESSFUL Total time: 4.227 secs Probably, I'm doing something wrong. Any idea? My test Anyway, I've configure the following FreeStyleJob: Git repo: https://github.com/recena/gradle-helloworld Checks the option Inject environment variables to the build process In Properties Content field I've defined: VAR=VAR2 Checks the option Inject passwords to the build as environment variables Checks the option Global passwords because I've defined also a global password: PASSWORDGLOBAL=PASSWORDGLOBAL Note: I have to investigate if "Mask password parameters" option is working how it expect. Done Adds a Gradle Build step: Uses the option Invoke Gradle and selects Gradle 2.5 In Tasks field I've define the name of our task: showGlobalEnv Adds a SHELL step with: echo $VAR echo $PASSWORDLOCAL echo $PASSWORDGLOBAL Console output [EnvInject] - Inject global passwords. Started by user anonymous [EnvInject] - Loading node environment variables. Building in workspace /home/recena/projects/envinject-plugin/work/jobs/JENKINS-27382/workspace > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url https: //github.com/recena/gradle-helloworld.git # timeout=10 Fetching upstream changes from https: //github.com/recena/gradle-helloworld.git > git --version # timeout=10 > git -c core.askpass= true fetch --tags --progress https: //github.com/recena/gradle-helloworld.git +refs/heads/*:refs/remotes/origin/* > git rev-parse refs/remotes/origin/master^{commit} # timeout=10 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10 Checking out Revision b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 (refs/remotes/origin/master) > git config core.sparsecheckout # timeout=10 > git checkout -f b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 > git rev-list b6329ad258d2900df073bdd6bd3ef46dd9b7fcc5 # timeout=10 [EnvInject] - Executing scripts and injecting environment variables after the SCM step. [EnvInject] - Injecting as environment variables the properties content VAR=VAR1 [EnvInject] - Variables injected successfully. [Gradle] - Launching build. [workspace] $ /home/recena/projects/envinject-plugin/work/tools/hudson.plugins.gradle.GradleInstallation/Gradle_2.6/bin/gradle ******** ******** showGlobalEnv :showGlobalEnv VAR was injected using the field "Properties Content" : VAR1 V A R 1 PASSWORDLOCAL was injected using the option "Inject passwords" : ******** * * * * * * * * PASSWORDGLOBAL was injected using the option "Inject passwords" : ******** * * * * * * * * BUILD SUCCESSFUL Total time: 2.554 secs This build could be faster, please consider using the Gradle Daemon: https: //docs.gradle.org/2.6/userguide/gradle_daemon.html Build step 'Invoke Gradle script' changed build result to SUCCESS [workspace] $ /bin/sh -xe /tmp/hudson5969723979230846787.sh + echo VAR1 VAR1 + echo **** **** + echo **** **** Finished: SUCCESS Environment Variables (URL: JOB_NAME/BUILD_ID/injectedEnvVars/) VAR=VAR1 PASSWORDLOCAL=******** PASSWORDGLOBAL=******** Environment Variables (FILESYSTEM: jobs/JOB_NAME/lastSuccessful/injectedEnvVars.txt) VAR=VAR1 PASSWORDGLOBAL=******** PASSWORDLOCAL=******** /cc schristou

Manuel Recena Soto added a comment - 2015-08-20 15:35 - edited Reading the changelog I've understood how Mask password parameters should work.

Manuel Recena Soto added a comment - 2015-08-21 12:02 mbtc , I'd need feedback to understand where is the bug.

Oleg Nenashev added a comment - 2015-08-21 12:50 The issue is in these two methods: https://github.com/jenkinsci/envinject-plugin/blob/master/src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java#L46-L63 Nicolas modified getEnvInjectVarList() in order to prevent the vars exposure to getTarget(). buildEnvVars() also uses this method => "********" sneak to environment variables in some cases

Manuel Recena Soto added a comment - 2015-08-21 13:38 oleg_nenashev Thanks for your clue. A PR have been sent.

Oleg Nenashev added a comment - 2015-08-21 15:30 - edited Adjusted the issue title. my gut-feeling is that many other issues can be closed as duplicates

SCM/JIRA link daemon added a comment - 2015-08-21 15:57 Code changed in jenkins User: Oleg Nenashev Path: src/main/java/org/jenkinsci/plugins/envinject/EnvInjectPluginAction.java http://jenkins-ci.org/commit/envinject-plugin/d0cfe58eb9f57b31b93ea6add47c43eb1cbc6728 Log: Merge pull request #65 from recena/ JENKINS-27382 JENKINS-27382 EnvInjectPluginAction::buildEnvVars() injects masks instead of passwords to the environment Compare: https://github.com/jenkinsci/envinject-plugin/compare/3dcf5aee55ab...d0cfe58eb9f5

Oleg Nenashev added a comment - 2015-08-21 16:04 Created JENKINS-30090 for tests. The fix has been relelased in 1.92.1