Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38181

withCredentials variables that are extracted are not masked outside of block

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Problem
      A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.

      Examples
      The password for testCredentials would be echo to the console without it being masked.

      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         echo '${password}' // password is masked
      }
      echo ${password}' // password is not masked
      

      Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following

      def nicePasswordBro;
      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         nicePasswordBro = '${password}'
         echo '${password}' // password is masked
      }
      echo nicePasswordBro // password is not masked
      

      Original request

      Example pipeline code:

      node {
        def usernameLocal, passwordLocal
        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
          echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
          sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
          usernameLocal = env.USERNAME
          passwordLocal = env.PASSWORD
          echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
        }
        echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"
      }
      

      Output

      [Pipeline] node
      Running on master in /var/jenkins_home/workspace/with-credentials
      [Pipeline] {
      [Pipeline] withCredentials
      [Pipeline] {
      [Pipeline] echo
      echo step - env: **** - password through ****
      [Pipeline] sh
      [with-credentials] Running shell script
      + echo sh step - echo: **** - ****
      sh step - echo: **** - ****
      [Pipeline] echo
      echo step (in block) - vars: **** - ****
      [Pipeline] }
      [Pipeline] // withCredentials
      [Pipeline] echo
      echo step (out of block) - vars: myusername - mypassword
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      Finished: SUCCESS
      

      Expectations

      I expect that the credentials would still be accessible but would still be masked.

        Attachments

          Activity

          Hide
          jglick Jesse Glick added a comment -

          Harikishore Palanisamy please use the Jenkins user’s list etc. for assistance, not JIRA.

          Show
          jglick Jesse Glick added a comment - Harikishore Palanisamy please use the Jenkins user’s list etc. for assistance, not JIRA.
          Hide
          jamesdumay James Dumay added a comment - - edited

          On review I think this issue is quite legitimate. We won't be able to protect users from finding passwords, but we can prevent them from accidentally being displayed on the screen.

          I've reopened and will get a second opinion from CloudBees engineering.

          Show
          jamesdumay James Dumay added a comment - - edited On review I think this issue is quite legitimate. We won't be able to protect users from finding passwords, but we can prevent them from accidentally being displayed on the screen. I've reopened and will get a second opinion from CloudBees engineering.
          Hide
          abayer Andrew Bayer added a comment -

          fwiw, I'm still saying the same thing I've been saying: abusing withCredentials variables is something we can't stop. Even if we found a way to track and mask the withCredentials variables outside of the block, a malicious user could still do something like password = "${PASSWORD}".split('').join('_'). I firmly believe this is a won't fix.

          Show
          abayer Andrew Bayer added a comment - fwiw, I'm still saying the same thing I've been saying: abusing withCredentials variables is something we can't stop. Even if we found a way to track and mask the withCredentials variables outside of the block, a malicious user could still do something like password = "${PASSWORD}".split('').join('_') . I firmly believe this is a won't fix.
          Hide
          jglick Jesse Glick added a comment -

          Agreed, this is not a defect and can be closed. FWIW I recently cut a release of credentials-binding that attempted to explain the security model more clearly in the Pipeline Syntax help text.

          Show
          jglick Jesse Glick added a comment - Agreed, this is not a defect and can be closed. FWIW I recently cut a release of credentials-binding that attempted to explain the security model more clearly in the Pipeline Syntax help text.
          Hide
          jglick Jesse Glick added a comment -

          As discussed above.

          Show
          jglick Jesse Glick added a comment - As discussed above.

            People

            Assignee:
            olamy Olivier Lamy
            Reporter:
            mkobit Mike Kobit
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: