-
Bug
-
Resolution: Won't Fix
-
Major
-
None
Problem
A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.
Examples
The password for testCredentials would be echo to the console without it being masked.
withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { echo '${password}' // password is masked } echo ${password}' // password is not masked
Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following
def nicePasswordBro; withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { nicePasswordBro = '${password}' echo '${password}' // password is masked } echo nicePasswordBro // password is not masked
Original request
Example pipeline code:
node {
def usernameLocal, passwordLocal
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
usernameLocal = env.USERNAME
passwordLocal = env.PASSWORD
echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
}
echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"
}
Output
[Pipeline] node
Running on master in /var/jenkins_home/workspace/with-credentials
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
echo step - env: **** - password through ****
[Pipeline] sh
[with-credentials] Running shell script
+ echo sh step - echo: **** - ****
sh step - echo: **** - ****
[Pipeline] echo
echo step (in block) - vars: **** - ****
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo
echo step (out of block) - vars: myusername - mypassword
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
Expectations
I expect that the credentials would still be accessible but would still be masked.
[JENKINS-38181] withCredentials variables that are extracted are not masked outside of block
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Resolution | Original: Not A Defect [ 7 ] | |
| Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Reopened [ 4 ] | New: Resolved [ 5 ] |
| Remote Link | New: This issue links to "CloudBees Internal OSS-2490 (Web Link)" [ 18275 ] |
| Remote Link | New: This issue links to "CloudBees Internal OSS-1421 (Web Link)" [ 18701 ] |
| Remote Link | New: This issue links to "CloudBees Internal CD-379 (Web Link)" [ 19432 ] |
| Description |
Original:
h2. Example h3. Pipeline Example pipeline code: {code:none} node { def usernameLocal, passwordLocal withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) { echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}" sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"' usernameLocal = env.USERNAME passwordLocal = env.PASSWORD echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}" } echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}" } {code} h3. Output {noformat} [Pipeline] node Running on master in /var/jenkins_home/workspace/with-credentials [Pipeline] { [Pipeline] withCredentials [Pipeline] { [Pipeline] echo echo step - env: **** - password through **** [Pipeline] sh [with-credentials] Running shell script + echo sh step - echo: **** - **** sh step - echo: **** - **** [Pipeline] echo echo step (in block) - vars: **** - **** [Pipeline] } [Pipeline] // withCredentials [Pipeline] echo echo step (out of block) - vars: myusername - mypassword [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS {noformat} h2. Expectations I expect that the credentials would still be accessible but would still be masked. |
New:
*Problem* A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the {{withCredentials}} block in Pipeline. *Examples* The password for {{testCredentials}} would be echo to the console without it being masked. {code} withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { echo '${password}' // password is masked } echo ${password}' // password is not masked {code} Even if we enforced that the password variable should only be used inside the {{withPassword}} block, it would still be possible to unmask the password with a Pipeline like the following {code} def nicePasswordBro; withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { nicePasswordBro = '${password}' echo '${password}' // password is masked } echo nicePasswordBro // password is not masked {code} *Original request* Example pipeline code: {code:none} node { def usernameLocal, passwordLocal withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) { echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}" sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"' usernameLocal = env.USERNAME passwordLocal = env.PASSWORD echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}" } echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}" } {code} h3. Output {noformat} [Pipeline] node Running on master in /var/jenkins_home/workspace/with-credentials [Pipeline] { [Pipeline] withCredentials [Pipeline] { [Pipeline] echo echo step - env: **** - password through **** [Pipeline] sh [with-credentials] Running shell script + echo sh step - echo: **** - **** sh step - echo: **** - **** [Pipeline] echo echo step (in block) - vars: **** - **** [Pipeline] } [Pipeline] // withCredentials [Pipeline] echo echo step (out of block) - vars: myusername - mypassword [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS {noformat} h2. Expectations I expect that the credentials would still be accessible but would still be masked. |
| Assignee | Original: Jesse Glick [ jglick ] | |
| Resolution | Original: Not A Defect [ 7 ] | |
| Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
| Component/s | New: pipeline [ 21692 ] |
| Sprint | New: Pipeline - Candidates [ 381 ] |
