[JENKINS-27631] Do not even temporarily save secrets in Workflow build record

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: credentials-binding-plugin
Labels:
- api
- pipeline
- security

Similar Issues:
Powered by SuggestiMate

Show

Currently when you use withCredentials with e.g. UsernamePasswordMultiBinding, the secret is saved in program.dat for the duration of the block. It is later removed, but it would be safer if it were guaranteed to never be persisted at all. That seems to require an API change: either in EnvVars to allow a given variable to be directly marked as secret and thus to be persisted only via Secret, or by lifting up sensitiveBuildVariables from AbstractBuild to Run, or by allowing BodyInvoker.withContext to provide something like an environment variable factory rather than a raw EnvVars.

is related to

JENKINS-26128 Dynamically-scoped env step

Resolved

JENKINS-28719 Store environment variable values for CoreWrapperStep as Secret

Open

links to

PR 5

PR 6

SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Code changed in jenkins
User: Jesse Glick
Path:
src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9
Log:
~~JENKINS-27631~~ But demonstrating that it is stored temporarily.

SCM/JIRA link daemon added a comment - 2015-03-27 11:53 Code changed in jenkins User: Jesse Glick Path: src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9 Log: JENKINS-27631 But demonstrating that it is stored temporarily.

SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3
Log:
Merge pull request #5 from jglick/stronger-tests

~~JENKINS-27631~~ Stronger tests

Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444

SCM/JIRA link daemon added a comment - 2015-03-27 11:53 Code changed in jenkins User: Jesse Glick Path: pom.xml src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3 Log: Merge pull request #5 from jglick/stronger-tests JENKINS-27631 Stronger tests Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444

SCM/JIRA link daemon added a comment - 2015-03-31 14:02

Code changed in jenkins
User: Jesse Glick
Path:
support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java
http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f
Log:
Merge pull request #106 from jglick/SecretPickle-~~JENKINS-27631~~

~~JENKINS-27631~~ Added SecretPickle

Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20

SCM/JIRA link daemon added a comment - 2015-03-31 14:02 Code changed in jenkins User: Jesse Glick Path: support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f Log: Merge pull request #106 from jglick/SecretPickle- JENKINS-27631 JENKINS-27631 Added SecretPickle Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20

SCM/JIRA link daemon added a comment - 2015-04-01 14:43

Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8
Log:
[FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

SCM/JIRA link daemon added a comment - 2015-04-01 14:43 Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8 Log: [FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

Details

Description

Attachments

Issue Links

Activity

Collapse comment: SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Expand comment: SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Collapse comment: SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Expand comment: SCM/JIRA link daemon added a comment - 2015-03-27 11:53

Collapse comment: SCM/JIRA link daemon added a comment - 2015-03-31 14:02

Expand comment: SCM/JIRA link daemon added a comment - 2015-03-31 14:02

Collapse comment: SCM/JIRA link daemon added a comment - 2015-04-01 14:43

Expand comment: SCM/JIRA link daemon added a comment - 2015-04-01 14:43

People

Dates