Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43032

withCredentials masks every occurence of secret string/username/password even if unrelated to binding

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • credentials-binding-plugin
    • None
    • Credentials Binding Plugin: 1.10
      Jenkins: 2.40

      In below log extract artifact coordinates are logged (line starting with "coordinates:..."). Part of artifactory groupid happens to match bound username, and gets masked.

      Clearly, group id has no relation to this binding, and should be unaffected.
      I.e. last line should not be masked: "coordinates: eu.dorsum.cm.dummy...." should be there instead of "coordinates: eu.****.cm.dummy..."

      Due to this error someone who nows our group id can easily find out either bound username, or password is 'dorsum'.

      [release%2F1.0.06ac0a631] $ cmd.exe /C "c:/JenkinsSlave/android-1/workspace/release%2F1.0.06ac0a631/gradlew.bat --refresh-dependencies --stacktrace --no-daemon -Pbuild.number=6 "-PkeystorePassword=," usernameVariable: KEY_ALIAS -PkeyPassword=**** -PkeyAlias=**** clean signingReport build artifactoryPublish -b build.gradle && exit %%ERRORLEVEL%%"

release true
coordinates: eu.****.cm.dummy.android.single:dummy-android-single-apk:1.0.0-6

          [JENKINS-43032] withCredentials masks every occurence of secret string/username/password even if unrelated to binding

          Christopher Orr added a comment -

          How would the plugin know that your Gradle script is doing `echo "coordinates: ${artifactInfo}"` and not `echo "Using password: ${pw}"`, in order to only mask the second version?

          I would think that the real solution is to use secure passwords.

          Christopher Orr added a comment - How would the plugin know that your Gradle script is doing `echo "coordinates: ${artifactInfo}"` and not `echo "Using password: ${pw}"`, in order to only mask the second version? I would think that the real solution is to use secure passwords.

          Jesse Glick added a comment -

          Agreed.

          Jesse Glick added a comment - Agreed.

            Unassigned Unassigned
            lao974 Peter Lauko
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: