-
Improvement
-
Resolution: Fixed
-
Minor
-
Jenkins 2.19.2
http-request-plugin 1.8.12
Linux from jenkins docker image hosted on MacOS
I am using the HTTP Request Plugin from a pipeline build. I have to provide basic Auth credentials that are entered at the time the job runs and cannot be stored as global credentials. So, I am using custom headers for this.
def creds = "admin:admin" String auth = creds.bytes.encodeBase64().toString() def response = httpRequest httpMode: 'GET', url: "https://httpbin.org/get", customHeaders: [[name: 'Authorization', value: "Basic $auth"]]
The problem is that the plugin always prints the header values, so I see:
[Pipeline] httpRequest HttpMode: GET URL: https://httpbin.org/get Authorization: Basic YWRtaW46YWRtaW4= Sending request to url: https://httpbin.org/get Response Code: HTTP/1.1 200 OK Success code from [100‥399]
Which makes it really easy to decode the password. Is there another way to pass the credentials (I tried putting them in the URL "http://admin:admin@httpbin.org/get" with the MaskPasswords plugin installed, but that echoed the password in plaintext).
Would it make sense magically hide or obfuscate the Authorization header if added with customHeaders?
Or, there is an option to suppress the response body in console. Could we add an option to suppress the request headers in console?
[JENKINS-39744] Hide Authorization Custom Header
Code changed in jenkins
User: Harold Putman
Path:
src/main/java/jenkins/plugins/http_request/HttpRequest.java
http://jenkins-ci.org/commit/http-request-plugin/88655212e2f2d8ecde13a9759d3d4015dd0f752d
Log:
Mask the Authorization header
Address issue JENKINS-39744 by always masking the “Authorization” header value.
Pull request submitted to mask Authorization header: https://github.com/jenkinsci/http-request-plugin/pull/22