Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36007

Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

      On jenkins pipeline i use input with Password param but password is shown on console log

      exemple:
      def userInput = input(
      id: 'userInput', message: 'Let\'s promote?', submitter: 'DL_KATANACLOUD_TEAM', parameters: [
      [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
      ])
      sh ("echo ${userInput['pwd']}")

          [JENKINS-36007] Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

          Jesse Glick added a comment -

          Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin.

          In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself (program.dat), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

          Jesse Glick added a comment - Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin. In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself ( program.dat ), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

            jglick Jesse Glick
            sebglon sébastien glon
            Votes:
            6 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: