Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28579

Password are shown in plain text checking job config history

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • mask-passwords-plugin
    • None
    • Jenkins ver: 1.529
      JobConfigHistory plugin ver: 2.4

    Description

      We use the Mask Password plugin to hide passwords when they are required for the build. This is a requirement in terms of security. The problem is that passwords are shown in plain text checking jobs' config history using JobConfigHistory plugin, so that there is still a way of getting passwords.

      We'd like to have those passwords hidden by using *** or something similar, so that none can see them.

      Attachments

        Activity

          sreeramk Sam Krishna added a comment -

          Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.

          sreeramk Sam Krishna added a comment - Yes, the job config history still shows the passwords that are input into another plugin's configuration.  This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.
          anacarvalho Ana Carvalho added a comment - - edited

          I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.

          anacarvalho Ana Carvalho added a comment - - edited I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.
          danielbeck Daniel Beck added a comment -

          This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text.

          anbeque Could you please mention the version of Mask Passwords plugin you are using?

          danielbeck Daniel Beck added a comment - This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text. anbeque Could you please mention the version of Mask Passwords plugin you are using?
          anbeque Angela Beteta added a comment -

          Hi Mirko,

          The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more.

          Thanks for your reply, I'll let you know if it works.

          anbeque Angela Beteta added a comment - Hi Mirko, The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more. Thanks for your reply, I'll let you know if it works.

          Hello Angela,

          • are these really plain text or do you get a crypted/obsfucated value?
          • We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.
          mfriedenhagen Mirko Friedenhagen added a comment - Hello Angela, are these really plain text or do you get a crypted/obsfucated value? We use the EnvInject plugin to inject passwords and they are shown in the history crypted/obsfucated with Jenkins' secret key.

          People

            danielpetisme Daniel Petisme
            anbeque Angela Beteta
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: