-
Bug
-
Resolution: Won't Fix
-
Major
-
None
Problem
A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.
Examples
The password for testCredentials would be echo to the console without it being masked.
withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { echo '${password}' // password is masked } echo ${password}' // password is not masked
Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following
def nicePasswordBro; withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { nicePasswordBro = '${password}' echo '${password}' // password is masked } echo nicePasswordBro // password is not masked
Original request
Example pipeline code:
node {
def usernameLocal, passwordLocal
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
usernameLocal = env.USERNAME
passwordLocal = env.PASSWORD
echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
}
echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"
}
Output
[Pipeline] node
Running on master in /var/jenkins_home/workspace/with-credentials
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
echo step - env: **** - password through ****
[Pipeline] sh
[with-credentials] Running shell script
+ echo sh step - echo: **** - ****
sh step - echo: **** - ****
[Pipeline] echo
echo step (in block) - vars: **** - ****
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo
echo step (out of block) - vars: myusername - mypassword
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
Expectations
I expect that the credentials would still be accessible but would still be masked.
[JENKINS-38181] withCredentials variables that are extracted are not masked outside of block
jglick it seems odd that the expected behavior of users using credentials is that they can get the plaintext as well as print them out to the logs.
If your build has access to credentials, then of course the user defining the build can get access to the credentials in innumerable ways. Password masking merely reduces the chance of accidental disclosure to others, for example from unnoticed debug logs. The scope of the masking is the block where the credentials are defined.
Issue is still persists. Kindly help me. How to access the password outside of withCredentials. But it should be masked.
Here is my test pipeline code:
stage("Pwd example") {
withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) {
userId = "${USER}"
password = "${PASSWORD}"
echo "User ID in out side node,in side of with credential : ${userId}"
echo "Password in out side node,in side of with credential :${password}"
}
echo "User ID in out side node,out side of with credential :${userId}"
echo "Password in out side node,out side of with credential :${password}"
node('master') {
echo "User ID in side node : ${userId}"
echo "Password in side node : ${password}"
sh " echo User ID in side SHELL : ${userId}"
sh" echo Password in side SHELL: ${password}"
}
}
Output:
[Pipeline] stage[Pipeline] { (Pwd Example)[Pipeline] withCredentials[Pipeline] {[Pipeline] echoUser ID in out side node,in side of with credential : ***[Pipeline] echoPassword in out side node,in side of with credential :***[Pipeline] }[Pipeline] // withCredentials[Pipeline] echoUser ID in out side node,out side of with credential :ciuserid[Pipeline] echoPassword in out side node,out side of with credential :cipwd[Pipeline] nodeRunning on master in /var/jenkins/master/workspace/testcred[Pipeline] {[Pipeline] echoUser ID in side node : ciuserid[Pipeline] echoPassword in side node : cipwd[Pipeline] sh[TestWCMS] Running shell script
+ echo User ID in side SHELL : ciuserid
User ID in side SHELL : cipwd[Pipeline] sh[testcred] Running shell script
+ echo Password in side SHELL: ciuserid
Password in side SHELL: cipwd[Pipeline] }[Pipeline] // node[Pipeline] }[Pipeline] // stage[Pipeline] End of PipelineFinished: SUCCESS
avskishore please use the Jenkins user’s list etc. for assistance, not JIRA.
On review I think this issue is quite legitimate. We won't be able to protect users from finding passwords, but we can prevent them from accidentally being displayed on the screen.
I've reopened and will get a second opinion from CloudBees engineering.
fwiw, I'm still saying the same thing I've been saying: abusing withCredentials variables is something we can't stop. Even if we found a way to track and mask the withCredentials variables outside of the block, a malicious user could still do something like password = "${PASSWORD}".split('').join('_'). I firmly believe this is a won't fix.
Agreed, this is not a defect and can be closed. FWIW I recently cut a release of credentials-binding that attempted to explain the security model more clearly in the Pipeline Syntax help text.
Your expectation was incorrect.