[JENKINS-44594] withCredentials usernamecolonPassword does not mask variable in sh step script

Type: Bug
Resolution: Cannot Reproduce
Priority: Critical
Component/s: credentials-binding-plugin, pipeline
Labels:
- 2.0
- credentials
- pipeline
- security
Environment:
Jenkins ver. 2.46.2
Credentials Plugin 2.1.13
Credentials Binding Plugin 1.11

Similar Issues:
Powered by SuggestiMate

Show

I am running the following:

node{
 stage ("Use credentials") {
  withCredentials([usernameColonPassword(credentialsId: 'myApiTokenId', variable: 'credentials')]) {
        echo "$credentials"

        //making this call does not mask credentials
        sh returnStdout:true, script: "curl -sko /dev/null -w %{http_code} \"https://example.com/path\" --user $credentials"
        }
    }
}

OUTPUT:

[Pipeline] node
Running on master in /var/lib/jenkins/workspace/Test Pipeline
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Check if test job is valid)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
****
[Pipeline] sh
[Test Pipeline] Running shell script
+ curl -sko /dev/null -w '%{http_code}' https://fpajenkinstest.wdf.sap.corp/job/i856200TestJob --user myusername:4985641987298791451542
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

Expected:
Not have credentials exposed in logs.

Interestingly, if I use the UsernamePasswordMultiBinding class the username will be masked but not password.

Jesse Glick added a comment - 2017-06-15 21:22

Mangled issue formatting, hard to reconstruct what your script actually was. Minimal self-contained steps to reproduce please.

To start with, you probably wanted to pass credentials as environment variables, not via Groovy string interpolation. (So ' not ".)

Jesse Glick added a comment - 2017-06-15 21:22 Mangled issue formatting, hard to reconstruct what your script actually was. Minimal self-contained steps to reproduce please. To start with, you probably wanted to pass credentials as environment variables, not via Groovy string interpolation. (So ' not " .)

Jesse Glick added a comment - 2017-06-15 22:24

Tried to reproduce in a functional test without success.

Jesse Glick added a comment - 2017-06-15 22:24 Tried to reproduce in a functional test without success.

Herman H added a comment - 2017-06-15 22:24 - edited

Hi Jesse,

I will close this issue. Seems I am unable to reproduce the bug now.
Thanks,
Herman

Herman H added a comment - 2017-06-15 22:24 - edited Hi Jesse, I will close this issue. Seems I am unable to reproduce the bug now. Thanks, Herman

Jesse Glick added a comment - 2017-06-15 22:26

…fixing resolution

Jesse Glick added a comment - 2017-06-15 22:26 …fixing resolution

Assignee:: Unassigned

Reporter:: Herman H

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2017-06-01 00:22

Updated:: 2017-06-15 22:26

Resolved:: 2017-06-15 22:26

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Jesse Glick added a comment - 2017-06-15 21:22

Expand comment: Jesse Glick added a comment - 2017-06-15 21:22

Collapse comment: Jesse Glick added a comment - 2017-06-15 22:24

Expand comment: Jesse Glick added a comment - 2017-06-15 22:24

Collapse comment: Herman H added a comment - 2017-06-15 22:24, Edited by Herman H - 2017-06-15 22:25

Expand comment: Herman H added a comment - 2017-06-15 22:24, Edited by Herman H - 2017-06-15 22:25

Collapse comment: Jesse Glick added a comment - 2017-06-15 22:26

Expand comment: Jesse Glick added a comment - 2017-06-15 22:26

People

Dates