Status: Open (View Workflow)
Jenkins ver: 1.529
JobConfigHistory plugin ver: 2.4
We use the Mask Password plugin to hide passwords when they are required for the build. This is a requirement in terms of security. The problem is that passwords are shown in plain text checking jobs' config history using JobConfigHistory plugin, so that there is still a way of getting passwords.
We'd like to have those passwords hidden by using *** or something similar, so that none can see them.
The values are really plain text. From your reply, I'm thinking that we could do a test installing the EnvInject plugin and see if we get any better. So far, we mask passwords using the MaskPassword plugin and it seems that EnvInject provides the same functionality and more.
Thanks for your reply, I'll let you know if it works.
This really looks more like a bug in Mask Passwords, which should not store passwords on disk in plain text.
anbeque Could you please mention the version of Mask Passwords plugin you are using?
I have got the same error. I'm using View Cloner Plugin, that requires a user and a password. In the Build History, when we compare two build histories, it shows the password in plain text. I've installed Purge Build History to delete all build histories, but it is still possible to access the plain password through Job Config History.
Yes, the job config history still shows the passwords that are input into another plugin's configuration. This is bad. I am an admin and my admin password is clearly visible for whoever is able to browse job config history.