Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38181

withCredentials variables that are extracted are not masked outside of block

      Problem
      A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.

      Examples
      The password for testCredentials would be echo to the console without it being masked.

      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         echo '${password}' // password is masked
      }
      echo ${password}' // password is not masked
      

      Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following

      def nicePasswordBro;
      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         nicePasswordBro = '${password}'
         echo '${password}' // password is masked
      }
      echo nicePasswordBro // password is not masked
      

      Original request

      Example pipeline code:

      node {
        def usernameLocal, passwordLocal
        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
          echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
          sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
          usernameLocal = env.USERNAME
          passwordLocal = env.PASSWORD
          echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
        }
        echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"
      }
      

      Output

      [Pipeline] node
      Running on master in /var/jenkins_home/workspace/with-credentials
      [Pipeline] {
      [Pipeline] withCredentials
      [Pipeline] {
      [Pipeline] echo
      echo step - env: **** - password through ****
      [Pipeline] sh
      [with-credentials] Running shell script
      + echo sh step - echo: **** - ****
      sh step - echo: **** - ****
      [Pipeline] echo
      echo step (in block) - vars: **** - ****
      [Pipeline] }
      [Pipeline] // withCredentials
      [Pipeline] echo
      echo step (out of block) - vars: myusername - mypassword
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      Finished: SUCCESS
      

      Expectations

      I expect that the credentials would still be accessible but would still be masked.

          [JENKINS-38181] withCredentials variables that are extracted are not masked outside of block

          Jesse Glick added a comment -

          Your expectation was incorrect.

          Jesse Glick added a comment - Your expectation was incorrect.

          Mike Kobit added a comment -

          jglick it seems odd that the expected behavior of users using credentials is that they can get the plaintext as well as print them out to the logs.

          Mike Kobit added a comment - jglick it seems odd that the expected behavior of users using credentials is that they can get the plaintext as well as print them out to the logs.

          Jesse Glick added a comment -

          If your build has access to credentials, then of course the user defining the build can get access to the credentials in innumerable ways. Password masking merely reduces the chance of accidental disclosure to others, for example from unnoticed debug logs. The scope of the masking is the block where the credentials are defined.

          Jesse Glick added a comment - If your build has access to credentials, then of course the user defining the build can get access to the credentials in innumerable ways. Password masking merely reduces the chance of accidental disclosure to others, for example from unnoticed debug logs. The scope of the masking is the block where the credentials are defined.

          Harikishore Palanisamy added a comment - - edited

          Issue is still persists. Kindly help me. How to access the password outside of withCredentials. But it should be masked.

           

          Here is my test pipeline code:

          stage("Pwd example") {
              withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) {
                   userId = "${USER}"
                   password = "${PASSWORD}"   
                   echo "User ID in out side node,in side of with credential : ${userId}"
                   echo "Password  in out side node,in side of with credential :${password}"
                  }
                 echo "User ID in out side node,out side of with credential :${userId}"
                 echo "Password  in out side node,out side of with credential :${password}"
                 node('master') {
                     echo "User ID in side node : ${userId}"
                     echo "Password  in side node : ${password}"
                     sh "  echo  User ID in side SHELL :  ${userId}"
                     sh" echo Password in side SHELL: ${password}"
                   }
          }

          Output:
          [Pipeline] stage[Pipeline] { (Pwd Example)[Pipeline] withCredentials[Pipeline] {[Pipeline] echoUser ID in out side node,in side of with credential : ***[Pipeline] echoPassword in out side node,in side of with credential :***[Pipeline] }[Pipeline] // withCredentials[Pipeline] echoUser ID in out side node,out side of with credential :ciuserid[Pipeline] echoPassword in out side node,out side of with credential :cipwd[Pipeline] nodeRunning on master in /var/jenkins/master/workspace/testcred[Pipeline] {[Pipeline] echoUser ID in side node : ciuserid[Pipeline] echoPassword in side node : cipwd[Pipeline] sh[TestWCMS] Running shell script
          + echo User ID in side SHELL : ciuserid
          User ID in side SHELL : cipwd[Pipeline] sh[testcred] Running shell script
          + echo Password in side SHELL: ciuserid
          Password in side SHELL: cipwd[Pipeline] }[Pipeline] // node[Pipeline] }[Pipeline] // stage[Pipeline] End of PipelineFinished: SUCCESS

          Harikishore Palanisamy added a comment - - edited Issue is still persists. Kindly help me. How to access the password outside of withCredentials. But it should be masked.   Here is my test pipeline code: stage("Pwd example") {     withCredentials( [usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')] ) {          userId = "${USER}"          password = "${PASSWORD}"             echo "User ID in out side node,in side of with credential : ${userId}"          echo "Password  in out side node,in side of with credential :${password}"         }        echo "User ID in out side node,out side of with credential :${userId}"        echo "Password  in out side node,out side of with credential :${password}"        node('master') {            echo "User ID in side node : ${userId}"            echo "Password  in side node : ${password}"            sh "  echo  User ID in side SHELL :  ${userId}"            sh" echo Password in side SHELL: ${password}"          } } Output: [Pipeline] stage [Pipeline] { (Pwd Example) [Pipeline] withCredentials [Pipeline] { [Pipeline] echo User ID in out side node,in side of with credential : *** [Pipeline] echo Password in out side node,in side of with credential : *** [Pipeline] } [Pipeline] // withCredentials [Pipeline] echo User ID in out side node,out side of with credential :ciuserid [Pipeline] echo Password in out side node,out side of with credential :cipwd [Pipeline] node Running on master in /var/jenkins/master/workspace/testcred [Pipeline] { [Pipeline] echo User ID in side node : ciuserid [Pipeline] echo Password in side node : cipwd [Pipeline] sh [TestWCMS] Running shell script + echo User ID in side SHELL : ciuserid User ID in side SHELL : cipwd [Pipeline] sh [testcred] Running shell script + echo Password in side SHELL: ciuserid Password in side SHELL: cipwd [Pipeline] } [Pipeline] // node [Pipeline] } [Pipeline] // stage [Pipeline] End of Pipeline Finished: SUCCESS

          Issue is still there.. Kindly help me.

          Harikishore Palanisamy added a comment - Issue is still there.. Kindly help me.

          Jesse Glick added a comment -

          avskishore please use the Jenkins user’s list etc. for assistance, not JIRA.

          Jesse Glick added a comment - avskishore please use the Jenkins user’s list etc. for assistance, not JIRA.

          James Dumay added a comment - - edited

          On review I think this issue is quite legitimate. We won't be able to protect users from finding passwords, but we can prevent them from accidentally being displayed on the screen.

          I've reopened and will get a second opinion from CloudBees engineering.

          James Dumay added a comment - - edited On review I think this issue is quite legitimate. We won't be able to protect users from finding passwords, but we can prevent them from accidentally being displayed on the screen. I've reopened and will get a second opinion from CloudBees engineering.

          Andrew Bayer added a comment -

          fwiw, I'm still saying the same thing I've been saying: abusing withCredentials variables is something we can't stop. Even if we found a way to track and mask the withCredentials variables outside of the block, a malicious user could still do something like password = "${PASSWORD}".split('').join('_'). I firmly believe this is a won't fix.

          Andrew Bayer added a comment - fwiw, I'm still saying the same thing I've been saying: abusing withCredentials variables is something we can't stop. Even if we found a way to track and mask the withCredentials variables outside of the block, a malicious user could still do something like password = "${PASSWORD}".split('').join('_') . I firmly believe this is a won't fix.

          Jesse Glick added a comment -

          Agreed, this is not a defect and can be closed. FWIW I recently cut a release of credentials-binding that attempted to explain the security model more clearly in the Pipeline Syntax help text.

          Jesse Glick added a comment - Agreed, this is not a defect and can be closed. FWIW I recently cut a release of credentials-binding that attempted to explain the security model more clearly in the Pipeline Syntax help text.

          Jesse Glick added a comment -

          As discussed above.

          Jesse Glick added a comment - As discussed above.

            olamy Olivier Lamy
            mkobit Mike Kobit
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: