Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43814

Password parameters should be hidden in pipeline logs by default

      In a pipeline script when a developer uses `withCredentials` credentials are hidden in logs to reduces the chance of accidental disclosure (see JENKINS-38181)

      When using a password parameter in a job the same concept should be applied to it and it should be impossible to display its value in logs

      A work-around is to use the MaskPasswordsBuildWrapper but it has to be manually done (and it's a bit crappy)

      node {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: "${myPassword}", var: 'PASSWORD']]]) {
         println myPassword
         sh 'echo "Hello World ${myPassword}"'
        }
      }

       

       

      .

          [JENKINS-43814] Password parameters should be hidden in pipeline logs by default

          Arnaud Héritier created issue -

          Jesse Glick added a comment -

          Could be done naturally by Declarative I think.

          Jesse Glick added a comment - Could be done naturally by Declarative I think.
          Jesse Glick made changes -
          Component/s New: pipeline-model-definition-plugin [ 21706 ]
          Component/s Original: pipeline [ 21692 ]
          Andrew Bayer made changes -
          Link New: This issue relates to JENKINS-44779 [ JENKINS-44779 ]
          James Dumay made changes -
          Labels New: cloudbees-internal-pipeline
          Jesse Glick made changes -
          Link New: This issue is duplicated by JENKINS-36007 [ JENKINS-36007 ]
          Jesse Glick made changes -
          Link Original: This issue is duplicated by JENKINS-36007 [ JENKINS-36007 ]
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-36007 [ JENKINS-36007 ]

          Andrew Bayer added a comment -

          jglick huh? How would Declarative have anything to do with that?

          Andrew Bayer added a comment - jglick huh? How would Declarative have anything to do with that?

          Andrew Bayer added a comment -

          Oh, wait, do you mean MaskPasswordsBuildWrapper could be replicated in Declarative? I'd prefer not - better to get a proper block-scoped step implementation that can be used as an option in Declarative.

          Andrew Bayer added a comment - Oh, wait, do you mean MaskPasswordsBuildWrapper could be replicated in Declarative? I'd prefer not - better to get a proper block-scoped step implementation that can be used as an option in Declarative.

            Unassigned Unassigned
            aheritier Arnaud Héritier
            Votes:
            6 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: