Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28579

Password are shown in plain text checking job config history

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: mask-passwords-plugin
    • Labels:
      None
    • Environment:
      Jenkins ver: 1.529
      JobConfigHistory plugin ver: 2.4
    • Similar Issues:

      Description

      We use the Mask Password plugin to hide passwords when they are required for the build. This is a requirement in terms of security. The problem is that passwords are shown in plain text checking jobs' config history using JobConfigHistory plugin, so that there is still a way of getting passwords.

      We'd like to have those passwords hidden by using *** or something similar, so that none can see them.

        Attachments

          Activity

          Hide
          mfriedenhagen Mirko Friedenhagen added a comment -

          Hello Angela,

          • are these really plain text or do you get a crypted/obsfucated value?
          • We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.
          Show
          mfriedenhagen Mirko Friedenhagen added a comment - Hello Angela, are these really plain text or do you get a crypted/obsfucated value? We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.
          Hide
          anbeque Angela Beteta added a comment -

          Hi Mirko,

          The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more.

          Thanks for your reply, I'll let you know if it works.

          Show
          anbeque Angela Beteta added a comment - Hi Mirko, The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more. Thanks for your reply, I'll let you know if it works.
          Hide
          danielbeck Daniel Beck added a comment -

          This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text.

          Angela Beteta Could you please mention the version of Mask Passwords plugin you are using?

          Show
          danielbeck Daniel Beck added a comment - This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text. Angela Beteta Could you please mention the version of Mask Passwords plugin you are using?
          Hide
          anacarvalho Ana Carvalho added a comment - - edited

          I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.

          Show
          anacarvalho Ana Carvalho added a comment - - edited I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.
          Hide
          sreeramk Sam Krishna added a comment -

          Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.

          Show
          sreeramk Sam Krishna added a comment - Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.

            People

            Assignee:
            danielpetisme Daniel Petisme
            Reporter:
            anbeque Angela Beteta
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated: