Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40017

Passwords are replaced but not masked in global envs

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We have a global password called JENKINSPASS

      We have a global env ANT_OPTS defined, which references it like -Djavax.net.ssl.keyStorePassword=${JENKINSPASS}

      For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note JENKINSPASS itself is masked.

      ANT_OPTS	-Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t
      JENKINSPASS	[*******]
      

      Older builds don't contain an entry for ANT_OPTS at all.

        Attachments

          Activity

          Hide
          jbochenski Jakub Bochenski added a comment -

          Last Jenkins upgrade was 6 days before

          Show
          jbochenski Jakub Bochenski added a comment - Last Jenkins upgrade was 6 days before
          Hide
          jbochenski Jakub Bochenski added a comment -

          It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins

          Show
          jbochenski Jakub Bochenski added a comment - It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins
          Hide
          jbochenski Jakub Bochenski added a comment -

          This also results in unmasked values being sent to logstash when using the logstash-plugin

          Show
          jbochenski Jakub Bochenski added a comment - This also results in unmasked values being sent to logstash when using the logstash-plugin
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Sorry, I have no capacity to work on this issue soon, the plugin waits for adoption. For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.

           

          Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.

          Show
          oleg_nenashev Oleg Nenashev added a comment - Sorry, I have no capacity to work on this issue soon, the plugin waits for adoption. For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.   Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
          Hide
          jbochenski Jakub Bochenski added a comment - - edited

          > For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.
          The view is rather useful otherwise, but I see no other option then (plus filtering the logstash output attributes)

          > Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
          Oleg Nenashev there is an ugly upcast to handle the mask passwords plugin in logstash plugin: https://github.com/jenkinsci/logstash-plugin/blob/master/src/main/java/jenkins/plugins/logstash/LogstashBuildWrapper.java#L85 so I'm guessing the issue stems from the mask passwords problem

          Show
          jbochenski Jakub Bochenski added a comment - - edited > For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework. The view is rather useful otherwise, but I see no other option then (plus filtering the logstash output attributes) > Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators. Oleg Nenashev there is an ugly upcast to handle the mask passwords plugin in logstash plugin: https://github.com/jenkinsci/logstash-plugin/blob/master/src/main/java/jenkins/plugins/logstash/LogstashBuildWrapper.java#L85 so I'm guessing the issue stems from the mask passwords problem
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Sorry, I was unable to find any time to work on this plugin. I have decided to mark it for adoption, so anybody is welcome to take ownership and to work on this issue.

          Show
          oleg_nenashev Oleg Nenashev added a comment - Sorry, I was unable to find any time to work on this plugin. I have decided to mark it for adoption, so anybody is welcome to take ownership and to work on this issue.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jbochenski Jakub Bochenski
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: