-
Bug
-
Resolution: Fixed
-
Minor
-
CentOS 6.8
Jenkins 2.38
durable-task-plugin 1.12
workflow-aggregator (pipeline) 2.4 and all its dependencies:
workflow-cps (version:2.17)
workflow-support (version:2.5)
workflow-basic-steps (version:2.1)
pipeline-input-step (version:2.1)
pipeline-milestone-step (version:1.0)
pipeline-build-step (version:2.2)
pipeline-stage-view (version:2.0)
workflow-multibranch (version:2.8)
workflow-durable-task-step (version:2.4)
workflow-api (version:2.3)
pipeline-stage-step (version:2.2)
workflow-scm-step (version:2.2)
workflow-cps-global-lib (version:2.3)
workflow-step-api (version:2.3)
workflow-job (version:2.6)CentOS 6.8 Jenkins 2.38 durable-task-plugin 1.12 workflow-aggregator (pipeline) 2.4 and all its dependencies: workflow-cps (version:2.17) workflow-support (version:2.5) workflow-basic-steps (version:2.1) pipeline-input-step (version:2.1) pipeline-milestone-step (version:1.0) pipeline-build-step (version:2.2) pipeline-stage-view (version:2.0) workflow-multibranch (version:2.8) workflow-durable-task-step (version:2.4) workflow-api (version:2.3) pipeline-stage-step (version:2.2) workflow-scm-step (version:2.2) workflow-cps-global-lib (version:2.3) workflow-step-api (version:2.3) workflow-job (version:2.6)
When I run a Jenkinsfile that has a sh step that uses an environment variable (such as a password) that has two $$ in a row, they get replaced with one $.
Here's the steps to reproduce:
1. Make a global credential id "foo", username "foo", password "bar$$baz"
2. Use this Jenkinsfile:
node('linux') { withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'foo', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) { echo "Username: ${env.USERNAME}" echo "Password: ${env.PASSWORD}" sh 'echo Username: $USERNAME, Password: $PASSWORD' } }
When the build runs, the echo steps properly echo the user/pass which are then masked. But the shell step doesn't mask the password, which is incorrect. It has lost a $
[Pipeline] echo Username: **** [Pipeline] echo Password: **** [Pipeline] sh [s_example] Running shell script + echo Username: ****, Password: bar$baz Username: ****, Password: bar$baz
- depends on
-
-
- In Review
-
- is blocked by
-
-
- Reopened
-
- relates to
-
-
- Resolved
-
-
-
- Resolved
-
- links to
[JENKINS-40734] Shell step cannot use environment variables that contain $$
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Comment |
[ [~jglick], the shell script you suggested doesn't work either. Putting single quotes around the environment variables will cause bash (or sh, or dash, or whatever the shell is) to not evaluate them and the output of the build is: {code:none} + echo Username: $USERNAME, Password: $PASSWORD Username: $USERNAME, Password: $PASSWORD {code} If I change those to double quotes it will evaluate them, but it will have the same problem it had before {code:none} sh ''' echo Username: "$USERNAME", Password: "$PASSWORD" ''' {code} outputs: {code:none} + echo Username: ****, Password: bar$baz Username: ****, Password: bar$baz {code} And don't think to much about the {{echo}} command in the shell either. In the real place where I'm running into this problem, I'm passing the username and password to some CLI: {code:none} sh ''' some-cli do stuff "$USERNAME" "$PASSWORD" ''' {code} and they have to be double quoted there so bash will correctly pass the args to the command line if they contain spaces or other characters that have to be quoted. ] |
jglick, the shell script you suggested doesn't work either. Putting single quotes around the environment variables will cause bash (or sh, or dash, or whatever the shell is) to not evaluate them and the output of the build is:
+ echo Username: $USERNAME, Password: $PASSWORD Username: $USERNAME, Password: $PASSWORD
If I change those to double quotes it will evaluate them, but it will have the same problem it had before
sh ''' echo Username: "$USERNAME", Password: "$PASSWORD" '''
outputs:
+ echo Username: ****, Password: bar$baz Username: ****, Password: bar$baz
And don't think to much about the echo command in the shell either. In the real place where I'm running into this problem, I'm passing the username and password to some CLI:
sh ''' some-cli do stuff "$USERNAME" "$PASSWORD" '''
and they have to be double quoted there so bash will correctly pass the args to the command line if they contain spaces or other characters that have to be quoted.
| Resolution | Original: Not A Defect [ 7 ] | |
| Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
Yes the ' was wrong, I meant ".
Reproduced and tracked down to this code. Not specific to credentials.
| Component/s | Original: pipeline [ 21692 ] | |
| Component/s | Original: workflow-durable-task-step-plugin [ 21715 ] | |
| Assignee | New: Jesse Glick [ jglick ] | |
| Labels | Original: credentials environment-variables pipeline shell | New: environment pipeline |
| Status | Original: Reopened [ 4 ] | New: Open [ 1 ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Your shell script is wrong. Try for example