[JENKINS-42950] credentials-binding-plugin not masking secret text when it includes a single quote

Type: Bug
Resolution: Not A Defect
Priority: Critical
Component/s: credentials-binding-plugin
Labels:
None
Environment:
all

Similar Issues:
Powered by SuggestiMate

Show

I have a Jenkins job to deploy an ansible playbook and I have used the credentials-binding-plugin secret text entries for entering my different environment ansible vault passwords. 2 of my encrypted passwords work fine but one of them has a single quote in the text and it seems to be causing problems with the masking and so that password is showing up in the logs. I tried escaping in the actual text itself but that did not work either.

I would just change passwords but they are company passwords and not mine to change so please let me know if something can be done to fix the parsing or if there is an immediate workaround for this.

Thanks,

Jeff Mclean

relates to

JENKINS-60962 credential plugin security issue

Closed

links to

#59

PR 55

Jesse Glick added a comment - 2017-03-30 18:38

Sounds like a bug if true. No known workaround.

Jesse Glick added a comment - 2017-03-30 18:38 Sounds like a bug if true. No known workaround.

Jesse Glick added a comment - 2017-08-08 13:48

Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

Jesse Glick added a comment - 2017-08-08 13:48 Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

p cowlinator added a comment - 2019-01-12 00:20

I am able to reproduce this issue. I will post more details in the next comment.

p cowlinator added a comment - 2019-01-12 00:20 I am able to reproduce this issue. I will post more details in the next comment.

p cowlinator added a comment - 2019-01-12 00:30 - edited

I get this problem with the following environment:

Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1.
Credentials-binding-plugin version: 1.17.
Agent: runs on a Alpine Linux 3.8 docker image

When running the following pipeline:

pipeline {
    agent { docker { image 'alpine:3.8' } }
    stages {
        stage('run_for_ranapas') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'quote_pw', usernameVariable: 'USER', passwordVariable: 'PASS')]) {
                    sh '''
                        echo $USER $PASS
                    '''
                }
            }
        }
    }
}

Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`.

The result is

[Pipeline] withCredentials
[Pipeline] {
[Pipeline] sh
+ echo **** 'password'"'"'7'
**** ****

p cowlinator added a comment - 2019-01-12 00:30 - edited I get this problem with the following environment: Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1. Credentials-binding-plugin version: 1.17. Agent: runs on a Alpine Linux 3.8 docker image When running the following pipeline: pipeline { agent { docker { image 'alpine:3.8' } } stages { stage( 'run_for_ranapas' ) { steps { withCredentials([usernamePassword(credentialsId: 'quote_pw' , usernameVariable: 'USER' , passwordVariable: 'PASS' )]) { sh ''' echo $USER $PASS ''' } } } } } Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`. The result is [Pipeline] withCredentials [Pipeline] { [Pipeline] sh + echo **** 'password' " '" ' 7' **** ****

Jesse Glick added a comment - 2019-01-14 19:20

Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with '. Thus

echo $USER $PASS

is rendered as

+ echo username7 password'"'"'7

rather than simply

+ echo username7 password'7

which I suppose is intended to make it easier for you to copy-paste this line into a new script as

echo 'username7' 'password'"'"'7'

Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally.

So either disable echoing with

set +x

or simply avoid passwords with shell metacharacters, ' especially.

Jesse Glick added a comment - 2019-01-14 19:20 Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with ' . Thus echo $USER $PASS is rendered as + echo username7 password ' "' " '7 rather than simply + echo username7 password'7 which I suppose is intended to make it easier for you to copy-paste this line into a new script as echo 'username7' 'password' " '" ' 7' Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally. So either disable echoing with set +x or simply avoid passwords with shell metacharacters, ' especially.

p cowlinator added a comment - 2019-01-14 20:36

jglick, can you at least include a note about this in the documentation?

p cowlinator added a comment - 2019-01-14 20:36 jglick , can you at least include a note about this in the documentation?

Jesse Glick added a comment - 2019-01-14 20:54

Done.

Jesse Glick added a comment - 2019-01-14 20:54 Done.

Wadeck Follonier added a comment - 2020-05-18 08:02

cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

Wadeck Follonier added a comment - 2020-05-18 08:02 cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

Assignee:: Unassigned

Reporter:: Jeff Mclean

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2017-03-20 21:50

Updated:: 2020-05-18 08:02

Resolved:: 2019-01-14 19:20

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2017-03-30 18:38

Expand comment: Jesse Glick added a comment - 2017-03-30 18:38

Collapse comment: Jesse Glick added a comment - 2017-08-08 13:48

Expand comment: Jesse Glick added a comment - 2017-08-08 13:48

Collapse comment: p cowlinator added a comment - 2019-01-12 00:20

Expand comment: p cowlinator added a comment - 2019-01-12 00:20

Collapse comment: p cowlinator added a comment - 2019-01-12 00:30, Edited by p cowlinator - 2019-01-12 00:32

Expand comment: p cowlinator added a comment - 2019-01-12 00:30, Edited by p cowlinator - 2019-01-12 00:32

Collapse comment: Jesse Glick added a comment - 2019-01-14 19:20

Expand comment: Jesse Glick added a comment - 2019-01-14 19:20

Collapse comment: p cowlinator added a comment - 2019-01-14 20:36

Expand comment: p cowlinator added a comment - 2019-01-14 20:36

Collapse comment: Jesse Glick added a comment - 2019-01-14 20:54

Expand comment: Jesse Glick added a comment - 2019-01-14 20:54

Collapse comment: Wadeck Follonier added a comment - 2020-05-18 08:02

Expand comment: Wadeck Follonier added a comment - 2020-05-18 08:02

People

Dates