-
Bug
-
Resolution: Unresolved
-
Blocker
-
Jenkins ver. 2.19.3
Mask Passwords Plugin 2.8
We have a global password called JENKINSPASS
We have a global env ANT_OPTS defined, which references it like -Djavax.net.ssl.keyStorePassword=${JENKINSPASS}
For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note JENKINSPASS itself is masked.
ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******]
Older builds don't contain an entry for ANT_OPTS at all.
[JENKINS-40017] Passwords are replaced but not masked in global envs
Jakub Bochenski
added a comment - It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins
Jakub Bochenski
added a comment - It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins Jakub Bochenski
added a comment - This also results in unmasked values being sent to logstash when using the logstash-plugin
Jakub Bochenski
added a comment - This also results in unmasked values being sent to logstash when using the logstash-plugin Sorry, I have no capacity to work on this issue soon, the plugin waits for adoption. For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.
Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
> For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.
The view is rather useful otherwise, but I see no other option then (plus filtering the logstash output attributes)
> Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
oleg_nenashev there is an ugly upcast to handle the mask passwords plugin in logstash plugin: https://github.com/jenkinsci/logstash-plugin/blob/master/src/main/java/jenkins/plugins/logstash/LogstashBuildWrapper.java#L85 so I'm guessing the issue stems from the mask passwords problem
Jakub Bochenski
added a comment - - edited > For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.
The view is rather useful otherwise, but I see no other option then (plus filtering the logstash output attributes)
> Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
oleg_nenashev there is an ugly upcast to handle the mask passwords plugin in logstash plugin: https://github.com/jenkinsci/logstash-plugin/blob/master/src/main/java/jenkins/plugins/logstash/LogstashBuildWrapper.java#L85 so I'm guessing the issue stems from the mask passwords problem Sorry, I was unable to find any time to work on this plugin. I have decided to mark it for adoption, so anybody is welcome to take ownership and to work on this issue.
Last Jenkins upgrade was 6 days before