Details
-
Bug
-
Resolution: Not A Defect
-
Major
-
None
-
Jenkins: 2.111
Plugin: 1.15
Description
A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.
For this use case, withCredentials is broken:
node {
stage('Break Security') {
withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
def exposedSecret = ""
for(letter in env.AWS_SECRET_ACCESS_KEY) {
exposedSecret = "$exposedSecret $letter"
}
echo "$exposedSecret"
}
}
}
The secret can be easily viewed.
Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.
For this example I used "Secret Text", but it also happens with "AWS Credentials".
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
JENKINS-61277 Document that Bitbucket Server admin token credential secures itself by forcing to SYSTEM scope
-
- Open
-
- links to
- mentioned in
-
Page Loading...
