Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28579

Password are shown in plain text checking job config history

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • mask-passwords-plugin
    • None
    • Jenkins ver: 1.529
      JobConfigHistory plugin ver: 2.4

      We use the Mask Password plugin to hide passwords when they are required for the build. This is a requirement in terms of security. The problem is that passwords are shown in plain text checking jobs' config history using JobConfigHistory plugin, so that there is still a way of getting passwords.

      We'd like to have those passwords hidden by using *** or something similar, so that none can see them.

          [JENKINS-28579] Password are shown in plain text checking job config history

          Mirko Friedenhagen added a comment -

          Hello Angela,

          • are these really plain text or do you get a crypted/obsfucated value?
          • We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.

          Mirko Friedenhagen added a comment - Hello Angela, are these really plain text or do you get a crypted/obsfucated value? We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.

          Angela Beteta added a comment -

          Hi Mirko,

          The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more.

          Thanks for your reply, I'll let you know if it works.

          Angela Beteta added a comment - Hi Mirko, The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more. Thanks for your reply, I'll let you know if it works.

          Daniel Beck added a comment -

          This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text.

          anbeque Could you please mention the version of Mask Passwords plugin you are using?

          Daniel Beck added a comment - This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text. anbeque Could you please mention the version of Mask Passwords plugin you are using?

          Ana Carvalho added a comment - - edited

          I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.

          Ana Carvalho added a comment - - edited I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.

          Sam Krishna added a comment -

          Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.

          Sam Krishna added a comment - Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.

            danielpetisme Daniel Petisme
            anbeque Angela Beteta
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: