Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36007

Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

      On jenkins pipeline i use input with Password param but password is shown on console log

      exemple:
      def userInput = input(
      id: 'userInput', message: 'Let\'s promote?', submitter: 'DL_KATANACLOUD_TEAM', parameters: [
      [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
      ])
      sh ("echo ${userInput['pwd']}")

          [JENKINS-36007] Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

          sébastien glon created issue -
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 172646 ] New: JNJira + In-Review [ 184706 ]

          Jesse Glick added a comment -

          Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin.

          In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself (program.dat), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

          Jesse Glick added a comment - Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin. In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself ( program.dat ), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.
          Jesse Glick made changes -
          Issue Type Original: Bug [ 1 ] New: New Feature [ 2 ]
          Summary Original: Password is clear on log with input parameter New: Way to mask arbitrary Secret (was: Password is clear on log with input parameter)
          Andrew Bayer made changes -
          Component/s New: pipeline-general [ 21692 ]
          Andrew Bayer made changes -
          Component/s Original: workflow-plugin [ 18820 ]
          Jesse Glick made changes -
          Component/s New: credentials-binding-plugin [ 18129 ]
          Component/s New: mask-passwords-plugin [ 15761 ]
          Component/s Original: pipeline [ 21692 ]
          Jesse Glick made changes -
          Labels Original: pipeline plugin security New: pipeline security
          Jesse Glick made changes -
          Link New: This issue is duplicated by JENKINS-34264 [ JENKINS-34264 ]
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-27398 [ JENKINS-27398 ]

            jglick Jesse Glick
            sebglon sébastien glon
            Votes:
            7 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: