Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36007

Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

    XMLWordPrintable

Details

    Description

      On jenkins pipeline i use input with Password param but password is shown on console log

      exemple:
      def userInput = input(
      id: 'userInput', message: 'Let\'s promote?', submitter: 'DL_KATANACLOUD_TEAM', parameters: [
      [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
      ])
      sh ("echo ${userInput['pwd']}")

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin.

            In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself (program.dat), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

            jglick Jesse Glick added a comment - Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin. In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself ( program.dat ), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

            People

              jglick Jesse Glick
              sebglon s├ębastien glon
              Votes:
              6 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated: