Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42950

credentials-binding-plugin not masking secret text when it includes a single quote

    XMLWordPrintable

Details

    Description

      I have a Jenkins job to deploy an ansible playbook and I have used the credentials-binding-plugin secret text entries for entering my different environment ansible vault passwords. 2 of my encrypted passwords work fine but one of them has a single quote in the text and it seems to be causing problems with the masking and so that password is showing up in the logs. I tried escaping in the actual text itself but that did not work either.

      I would just change passwords but they are company passwords and not mine to change so please let me know if something can be done to fix the parsing or if there is an immediate workaround for this.

       

      Thanks,

       

      Jeff Mclean

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            Sounds like a bug if true. No known workaround.

            jglick Jesse Glick added a comment - Sounds like a bug if true. No known workaround.
            jglick Jesse Glick added a comment -

            Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.

            jglick Jesse Glick added a comment - Checked in functional tests and could not reproduce for either freestyle or Pipeline builds.
            cowlinator p cowlinator added a comment -

            I am able to reproduce this issue.  I will post more details in the next comment.

            cowlinator p cowlinator added a comment - I am able to reproduce this issue.  I will post more details in the next comment.
            cowlinator p cowlinator added a comment - - edited

            I get this problem with the following environment:

            Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1. 
            Credentials-binding-plugin version: 1.17. 
            Agent: runs on a Alpine Linux 3.8 docker image

            When running the following pipeline:

            pipeline {
                agent { docker { image 'alpine:3.8' } }
                stages {
                    stage('run_for_ranapas') {
                        steps {
                            withCredentials([usernamePassword(credentialsId: 'quote_pw', usernameVariable: 'USER', passwordVariable: 'PASS')]) {
                                sh '''
                                    echo $USER $PASS
                                '''
                            }
                        }
                    }
                }
            }
            
            

            Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`.

            The result is 

            [Pipeline] withCredentials
            [Pipeline] {
            [Pipeline] sh
            + echo **** 'password'"'"'7'
            **** ****
            
            cowlinator p cowlinator added a comment - - edited I get this problem with the following environment: Jenkins server: runs on `jenkins/jenkins:lts` docker image (image id: 5907903170ad), with Jenkins version 2.150.1.  Credentials-binding-plugin version: 1.17.  Agent: runs on a Alpine Linux 3.8 docker image When running the following pipeline: pipeline { agent { docker { image 'alpine:3.8' } } stages { stage( 'run_for_ranapas' ) { steps { withCredentials([usernamePassword(credentialsId: 'quote_pw' , usernameVariable: 'USER' , passwordVariable: 'PASS' )]) { sh ''' echo $USER $PASS ''' } } } } } Where `quote_pw` is a global scope, global domain credential who's `kind` is `username and password`, and who's values are: username: `username7`, password: `password'7`. The result is  [Pipeline] withCredentials [Pipeline] { [Pipeline] sh + echo **** 'password' " '" ' 7' **** ****
            jglick Jesse Glick added a comment -

            Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with '. Thus

            echo $USER $PASS
            

            is rendered as

            + echo username7 password'"'"'7
            

            rather than simply

            + echo username7 password'7
            

            which I suppose is intended to make it easier for you to copy-paste this line into a new script as

            echo 'username7' 'password'"'"'7'
            

            Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally.

            So either disable echoing with

            set +x
            

            or simply avoid passwords with shell metacharacters, ' especially.

            jglick Jesse Glick added a comment - Ah yes, this is just Bash being too clever. When you have echo enabled, Bash—but not, say, Ubuntu’s more compliant Dash—will detect command arguments containing ' and present a mockup of a command line that would escape them even if all the mockup elements were manually surrounded with ' . Thus echo $USER $PASS is rendered as + echo username7 password ' "' " '7 rather than simply + echo username7 password'7 which I suppose is intended to make it easier for you to copy-paste this line into a new script as echo 'username7' 'password' " '" ' 7' Since output does not literally contain the password, it is not masked. In general, the plugin cannot keep up with the ways in which various tools might decide to mangle secrets before printing them; it keeps it simple and masks secrets only when printed literally. So either disable echoing with set +x or simply avoid passwords with shell metacharacters, ' especially.
            cowlinator p cowlinator added a comment -

            jglick, can you at least include a note about this in the documentation?

            cowlinator p cowlinator added a comment - jglick , can you at least include a note about this in the documentation?
            jglick Jesse Glick added a comment -

            Done.

            jglick Jesse Glick added a comment - Done.

            cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

            wfollonier Wadeck Follonier added a comment - cowlinator jamclean FYI we updated the different patterns used in credentials-binding to support "common" quotation schema by sh/bash/batch/powershell since 1.19.

            People

              Unassigned Unassigned
              jamclean Jeff Mclean
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: