Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27869

entered SCM password should be masked in output

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I've a issue with password disclosure when using the M2 Release Plugin and entering the password.

      During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.

      As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:

      <===[JENKINS REMOTING CAPACITY]===>channel started
      
      Executing Maven:  -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=*********
      
      [INFO] Scanning for projects...
      
      [INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module ---
      ...
      ===============================================================================
      System Properties
      ===============================================================================
      
      JOB_NAME=am-test
      ...
      
      password=mysecretpassword
      
      ...
      

      see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)

        Attachments

          Activity

          andreasmandel Andreas Mandel created issue -
          rtyler R. Tyler Croy made changes -
          Field Original Value New Value
          Workflow JNJira [ 162462 ] JNJira + In-Review [ 180933 ]
          recampbell Ryan Campbell made changes -
          Remote Link This issue links to "Root Cause (Web Link)" [ 15150 ]
          recampbell Ryan Campbell made changes -
          Resolution Not A Defect [ 7 ]
          Status Open [ 1 ] Closed [ 6 ]
          cloudbees CloudBees Inc. made changes -
          Remote Link This issue links to "CloudBees Internal OSS-645 (Web Link)" [ 18850 ]
          teilo James Nord made changes -
          Assignee James Nord [ teilo ]

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            andreasmandel Andreas Mandel
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: