Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42950

credentials-binding-plugin not masking secret text when it includes a single quote

      I have a Jenkins job to deploy an ansible playbook and I have used the credentials-binding-plugin secret text entries for entering my different environment ansible vault passwords. 2 of my encrypted passwords work fine but one of them has a single quote in the text and it seems to be causing problems with the masking and so that password is showing up in the logs. I tried escaping in the actual text itself but that did not work either.

      I would just change passwords but they are company passwords and not mine to change so please let me know if something can be done to fix the parsing or if there is an immediate workaround for this.

       

      Thanks,

       

      Jeff Mclean

          [JENKINS-42950] credentials-binding-plugin not masking secret text when it includes a single quote

          Jesse Glick added a comment -

          Sounds like a bug if true. No known workaround.

          Jesse Glick added a comment - Sounds like a bug if true. No known workaround.

          Jesse Glick added a comment -

          Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

          Jesse Glick added a comment - Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

          p cowlinator added a comment -

          I am able to reproduce this issue.  I will post more details in the next comment.

          p cowlinator added a comment - I am able to reproduce this issue.  I will post more details in the next comment.

          p cowlinator added a comment - - edited

          I get this problem with the following environment:

          Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1. 
          Credentials-binding-plugin version: 1.17. 
          Agent: runs on a Alpine Linux 3.8 docker image

          When running the following pipeline:

          pipeline {
              agent { docker { image 'alpine:3.8' } }
              stages {
                  stage('run_for_ranapas') {
                      steps {
                          withCredentials([usernamePassword(credentialsId: 'quote_pw', usernameVariable: 'USER', passwordVariable: 'PASS')]) {
                              sh '''
                                  echo $USER $PASS
                              '''
                          }
                      }
                  }
              }
          }
          
          

          Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`.

          The result is 

          [Pipeline] withCredentials
          [Pipeline] {
          [Pipeline] sh
          + echo **** 'password'"'"'7'
          **** ****
          

          p cowlinator added a comment - - edited I get this problem with the following environment: Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1.  Credentials-binding-plugin version: 1.17.  Agent: runs on a Alpine Linux 3.8 docker image When running the following pipeline: pipeline { agent { docker { image 'alpine:3.8' } } stages { stage( 'run_for_ranapas' ) { steps { withCredentials([usernamePassword(credentialsId: 'quote_pw' , usernameVariable: 'USER' , passwordVariable: 'PASS' )]) { sh ''' echo $USER $PASS ''' } } } } } Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`. The result is  [Pipeline] withCredentials [Pipeline] { [Pipeline] sh + echo **** 'password' " '" ' 7' **** ****

          Jesse Glick added a comment -

          Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with '. Thus

          echo $USER $PASS
          

          is rendered as

          + echo username7 password'"'"'7
          

          rather than simply

          + echo username7 password'7
          

          which I suppose is intended to make it easier for you to copy-paste this line into a new script as

          echo 'username7' 'password'"'"'7'
          

          Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally.

          So either disable echoing with

          set +x
          

          or simply avoid passwords with shell metacharacters, ' especially.

          Jesse Glick added a comment - Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with ' . Thus echo $USER $PASS is rendered as + echo username7 password ' "' " '7 rather than simply + echo username7 password'7 which I suppose is intended to make it easier for you to copy-paste this line into a new script as echo 'username7' 'password' " '" ' 7' Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally. So either disable echoing with set +x or simply avoid passwords with shell metacharacters, ' especially.

          p cowlinator added a comment -

          jglick, can you at least include a note about this in the documentation?

          p cowlinator added a comment - jglick , can you at least include a note about this in the documentation?

          Jesse Glick added a comment -

          Done.

          Jesse Glick added a comment - Done.

          cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

          Wadeck Follonier added a comment - cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

            Unassigned Unassigned
            jamclean Jeff Mclean
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: