Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39744

Hide Authorization Custom Header

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • http-request-plugin
    • Jenkins 2.19.2
      http-request-plugin 1.8.12
      Linux from jenkins docker image hosted on MacOS

      I am using the HTTP Request Plugin from a pipeline build. I have to provide basic Auth credentials that are entered at the time the job runs and cannot be stored as global credentials. So, I am using custom headers for this.

          def creds = "admin:admin"
          String auth = creds.bytes.encodeBase64().toString()
          def response = httpRequest httpMode: 'GET',
            url: "https://httpbin.org/get",
            customHeaders: [[name: 'Authorization', value: "Basic $auth"]]
      

      The problem is that the plugin always prints the header values, so I see:

        [Pipeline] httpRequest
        HttpMode: GET
        URL: https://httpbin.org/get
        Authorization: Basic YWRtaW46YWRtaW4=
        Sending request to url: https://httpbin.org/get
        Response Code: HTTP/1.1 200 OK
        Success code from [100‥399]
      

      Which makes it really easy to decode the password. Is there another way to pass the credentials (I tried putting them in the URL "http://admin:admin@httpbin.org/get" with the MaskPasswords plugin installed, but that echoed the password in plaintext).

      Would it make sense magically hide or obfuscate the Authorization header if added with customHeaders?

      Or, there is an option to suppress the response body in console. Could we add an option to suppress the request headers in console?

            janario Janario Oliveira
            hputman Harold Putman
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: