Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39744

Hide Authorization Custom Header

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: http-request-plugin
    • Labels:
    • Environment:
      Jenkins 2.19.2
      http-request-plugin 1.8.12
      Linux from jenkins docker image hosted on MacOS
    • Similar Issues:

      Description

      I am using the HTTP Request Plugin from a pipeline build. I have to provide basic Auth credentials that are entered at the time the job runs and cannot be stored as global credentials. So, I am using custom headers for this.

          def creds = "admin:admin"
          String auth = creds.bytes.encodeBase64().toString()
          def response = httpRequest httpMode: 'GET',
            url: "https://httpbin.org/get",
            customHeaders: [[name: 'Authorization', value: "Basic $auth"]]
      

      The problem is that the plugin always prints the header values, so I see:

        [Pipeline] httpRequest
        HttpMode: GET
        URL: https://httpbin.org/get
        Authorization: Basic YWRtaW46YWRtaW4=
        Sending request to url: https://httpbin.org/get
        Response Code: HTTP/1.1 200 OK
        Success code from [100‥399]
      

      Which makes it really easy to decode the password. Is there another way to pass the credentials (I tried putting them in the URL "http://admin:admin@httpbin.org/get" with the MaskPasswords plugin installed, but that echoed the password in plaintext).

      Would it make sense magically hide or obfuscate the Authorization header if added with customHeaders?

      Or, there is an option to suppress the response body in console. Could we add an option to suppress the request headers in console?

        Attachments

          Activity

          Hide
          hputman Harold Putman added a comment -

          Pull request submitted to mask Authorization header: https://github.com/jenkinsci/http-request-plugin/pull/22

          Show
          hputman Harold Putman added a comment - Pull request submitted to mask Authorization header: https://github.com/jenkinsci/http-request-plugin/pull/22
          Hide
          hputman Harold Putman added a comment -

          bump.

          Show
          hputman Harold Putman added a comment - bump.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Harold Putman
          Path:
          src/main/java/jenkins/plugins/http_request/HttpRequest.java
          http://jenkins-ci.org/commit/http-request-plugin/88655212e2f2d8ecde13a9759d3d4015dd0f752d
          Log:
          Mask the Authorization header

          Address issue JENKINS-39744 by always masking the “Authorization” header value.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Harold Putman Path: src/main/java/jenkins/plugins/http_request/HttpRequest.java http://jenkins-ci.org/commit/http-request-plugin/88655212e2f2d8ecde13a9759d3d4015dd0f752d Log: Mask the Authorization header Address issue JENKINS-39744 by always masking the “Authorization” header value.

            People

            Assignee:
            janario Janario Oliveira
            Reporter:
            hputman Harold Putman
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: