Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50242

withCredentials step masking easily bypassed


    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • None
    • Jenkins: 2.111
      Plugin: 1.15

      A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

      For this use case, withCredentials is broken:

      node {
        stage('Break Security') {
          withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
          string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
          string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
            def exposedSecret = ""
            for(letter in env.AWS_SECRET_ACCESS_KEY) {
              exposedSecret = "$exposedSecret $letter"
            echo "$exposedSecret"

      The secret can be easily viewed.

      Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.
      For this example I used "Secret Text", but it also happens with "AWS Credentials".

            Unassigned Unassigned
            apineros Andres Pineros
            0 Vote for this issue
            5 Start watching this issue