[JENKINS-40734] Shell step cannot use environment variables that contain $$ - Jenkins Jira

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Minor
Resolution: Fixed
Component/s: durable-task-plugin
Labels:
- environment
- pipeline
Environment:

Hide
CentOS 6.8
Jenkins 2.38

durable-task-plugin 1.12

workflow-aggregator (pipeline) 2.4 and all its dependencies:
workflow-cps (version:2.17)
workflow-support (version:2.5)
workflow-basic-steps (version:2.1)
pipeline-input-step (version:2.1)
pipeline-milestone-step (version:1.0)
pipeline-build-step (version:2.2)
pipeline-stage-view (version:2.0)
workflow-multibranch (version:2.8)
workflow-durable-task-step (version:2.4)
workflow-api (version:2.3)
pipeline-stage-step (version:2.2)
workflow-scm-step (version:2.2)
workflow-cps-global-lib (version:2.3)
workflow-step-api (version:2.3)
workflow-job (version:2.6)

Show
CentOS 6.8 Jenkins 2.38 durable-task-plugin 1.12 workflow-aggregator (pipeline) 2.4 and all its dependencies: workflow-cps (version:2.17) workflow-support (version:2.5) workflow-basic-steps (version:2.1) pipeline-input-step (version:2.1) pipeline-milestone-step (version:1.0) pipeline-build-step (version:2.2) pipeline-stage-view (version:2.0) workflow-multibranch (version:2.8) workflow-durable-task-step (version:2.4) workflow-api (version:2.3) pipeline-stage-step (version:2.2) workflow-scm-step (version:2.2) workflow-cps-global-lib (version:2.3) workflow-step-api (version:2.3) workflow-job (version:2.6)

Similar Issues:

Show

Description

When I run a Jenkinsfile that has a sh step that uses an environment variable (such as a password) that has two $$ in a row, they get replaced with one $.

Here's the steps to reproduce:
1. Make a global credential id "foo", username "foo", password "bar$$baz"
2. Use this Jenkinsfile:

node('linux') {
    withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'foo', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {            
        echo "Username: ${env.USERNAME}"
        echo "Password: ${env.PASSWORD}"
        sh 'echo Username: $USERNAME, Password: $PASSWORD'
    }
}

When the build runs, the echo steps properly echo the user/pass which are then masked. But the shell step doesn't mask the password, which is incorrect. It has lost a $

[Pipeline] echo
Username: ****
[Pipeline] echo
Password: ****
[Pipeline] sh
[s_example] Running shell script
+ echo Username: ****, Password: bar$baz
Username: ****, Password: bar$baz

Attachments

Issue Links

depends on

JENKINS-41225 durable-task 1.13 is failing with remote Windows accessed through Cygwin sshd.

In Review

is blocked by

JENKINS-41339 Environment variables referencing other variables broken

Reopened

relates to

JENKINS-27040 Bound variables strip multiple dollar signs

Resolved

JENKINS-61950 Environment variables with '$' have '$$' when used in sh step inside a container step.

Resolved

links to

CloudBees Internal OSS-1830

PR 34

(1 links to)

Activity

Ascending order - Click to sort in descending order

View 11 older comments

John Ericson added a comment - 2017-01-24 20:58 - edited

I'm not really sure what the answer is for dealing with passwords that look like they have bash variable expansion in them.

Having withCredentials escape the username and password before sticking them in the environment variables should do the trick, right?

John Ericson added a comment - 2017-01-24 20:58 - edited I'm not really sure what the answer is for dealing with passwords that look like they have bash variable expansion in them. Having withCredentials escape the username and password before sticking them in the environment variables should do the trick, right?

Ben Dean added a comment - 2017-01-24 22:05

Yes, that would be answer for withCredentials. But it would make the pipelines behave a bit differently than the envinject and credentials-binding plugins which do not escape $ in passwords. Maybe they should be fixed too.

Ben Dean added a comment - 2017-01-24 22:05 Yes, that would be answer for withCredentials . But it would make the pipelines behave a bit differently than the envinject and credentials-binding plugins which do not escape $ in passwords. Maybe they should be fixed too.

Jesse Glick added a comment - 2017-01-26 16:13

Freestyle projects may always have been broken in this respect, but not my problem. This was clearly a bug, and 1.13 fixes it. I am tracking other use cases in JENKINS-41339.

Jesse Glick added a comment - 2017-01-26 16:13 Freestyle projects may always have been broken in this respect, but not my problem. This was clearly a bug, and 1.13 fixes it. I am tracking other use cases in JENKINS-41339 .

Jesse Glick added a comment - 2017-01-26 16:16

withEnv(['PATH=$PATH:/extra/directory/bin'])

is incorrect. You may use either

withEnv(["PATH=$PATH:/extra/directory/bin"])

(interpolating the current value in Groovy) or

withEnv(['PATH+EXTRA=/extra/directory/bin'])

as documented in the withEnv step.

Jesse Glick added a comment - 2017-01-26 16:16 withEnv([ 'PATH=$PATH:/extra/directory/bin' ]) is incorrect. You may use either withEnv([ "PATH=$PATH:/extra/directory/bin" ]) (interpolating the current value in Groovy) or withEnv([ 'PATH+EXTRA=/extra/directory/bin' ]) as documented in the withEnv step.

John Ericson added a comment - 2017-01-26 18:57

jglick I'm no fan of barely-planned string evaluation either, but I don't think it's not fair to simply say "freestyle jobs are broken": values in env may come from either the Jenkins GUI or groovy (e.g. withEnv) and there is no way of knowing. Long predating any pipeline work, the effective behavior of GUI-defined environment variables has been established that they may contain variable references. Freestyle jobs implement this, not define it.

You can make that the semantics of withEnv if you want, but then to handle the GUI case correctly I see the only option being escaping the withEnv arguments before they are put in env so the GUI ones still get expanded correctly.

John Ericson added a comment - 2017-01-26 18:57 jglick I'm no fan of barely-planned string evaluation either, but I don't think it's not fair to simply say "freestyle jobs are broken": values in env may come from either the Jenkins GUI or groovy (e.g. withEnv ) and there is no way of knowing. Long predating any pipeline work, the effective behavior of GUI-defined environment variables has been established that they may contain variable references. Freestyle jobs implement this, not define it. You can make that the semantics of withEnv if you want, but then to handle the GUI case correctly I see the only option being escaping the withEnv arguments before they are put in env so the GUI ones still get expanded correctly.

Jenkins

Shell step cannot use environment variables that contain $$

Details

Description

Attachments

Issue Links

Activity

People

Dates