[JENKINS-36007] Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

Type: New Feature
Resolution: Unresolved
Priority: Critical
Component/s: credentials-binding-plugin, mask-passwords-plugin
Labels:
- pipeline
- security

Similar Issues:
Powered by SuggestiMate

Show

On jenkins pipeline i use input with Password param but password is shown on console log

exemple:
def userInput = input(
id: 'userInput', message: 'Let\'s promote?', submitter: 'DL_KATANACLOUD_TEAM', parameters: [
[$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
])
sh ("echo ${userInput['pwd']}")

is duplicated by

JENKINS-34264 Support Global passwords from Mask Passwords in Pipeline

Resolved

relates to

JENKINS-27398 Pipeline-as-Code CredentialsProvider for a job

Open

JENKINS-43814 Password parameters should be hidden in pipeline logs by default

Open

JENKINS-27486 Workflow step to mask console output

Resolved

JENKINS-47101 Pipeline withCredentials step does not mask step descriptions for variables with the same name as existing system variables

Resolved

sébastien glon created issue - 2016-06-16 10:42

R. Tyler Croy made changes - 2016-07-25 23:52

Workflow

Original: JNJira [ 172646 ]

New: JNJira + In-Review [ 184706 ]

Jesse Glick added a comment - 2016-08-15 14:26

Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin.

In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself (program.dat), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

Jesse Glick added a comment - 2016-08-15 14:26 Secrets are not masked unless you do something specific to mask them, such as using the Credentials Binding or Mask Passwords plugin. In this case, PasswordParameterValue returns a Secret value, which SecretPickle does ensure is not stored in cleartext in the build record itself ( program.dat ), but we are missing a build wrapper which would let you specify that occurrences of the plaintext in subsequent log output should be masked.

Jesse Glick made changes - 2016-08-15 14:26

Issue Type	Original: Bug [ 1 ]	New: New Feature [ 2 ]
Summary	Original: Password is clear on log with input parameter	New: Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

Andrew Bayer made changes - 2016-08-26 21:51

Component/s

New: pipeline-general [ 21692 ]

Andrew Bayer made changes - 2016-08-26 21:53

Component/s

Original: workflow-plugin [ 18820 ]

Jesse Glick made changes - 2016-08-29 22:51

Component/s		New: credentials-binding-plugin [ 18129 ]
Component/s		New: mask-passwords-plugin [ 15761 ]
Component/s	Original: pipeline [ 21692 ]

Jesse Glick made changes - 2016-08-29 22:51

Labels

Original: pipeline plugin security

New: pipeline security

Jesse Glick made changes - 2016-09-30 16:59

Link

New: This issue is duplicated by ~~JENKINS-34264~~ [ ~~JENKINS-34264~~ ]

Jesse Glick made changes - 2016-09-30 16:59

Link

New: This issue relates to JENKINS-27398 [ JENKINS-27398 ]

Assignee:: Jesse Glick

Reporter:: sébastien glon

Votes:: 7 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2016-06-16 10:42

Updated:: 2019-07-09 22:12

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2016-08-15 14:26

Expand comment: Jesse Glick added a comment - 2016-08-15 14:26

People

Dates