[JENKINS-50242] withCredentials step masking easily bypassed - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Not A Defect
Component/s: credentials-binding-plugin
Labels:
None
Environment:
Jenkins: 2.111
Plugin: 1.15

Similar Issues:

Show

Description

For this use case, withCredentials is broken:

node {
  stage('Break Security') {
    withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
    string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
    string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
      def exposedSecret = ""
      for(letter in env.AWS_SECRET_ACCESS_KEY) {
        exposedSecret = "$exposedSecret $letter"
      }
      echo "$exposedSecret"
    }
  }
}

The secret can be easily viewed.

Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.
For this example I used "Secret Text", but it also happens with "AWS Credentials".

Attachments

Issue Links

is duplicated by

JENKINS-60962 credential plugin security issue

Closed

relates to

JENKINS-54538 Ability to save unmasked credentials to file

Closed

JENKINS-61277 Document that Bitbucket Server admin token credential secures itself by forcing to SYSTEM scope

Open

links to

PR 49

mentioned in: Page Loading...

Activity

Ascending order - Click to sort in descending order

Andres Pineros created issue - 2018-03-19 00:32

Andres Pineros made changes - 2018-03-19 00:33

Field	Original Value	New Value
Description	A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret. For this use case, withCredentials is broken: {code:java} node { stage('Break Security') { withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'), string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'), string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) { def exposedSecret = "" for(letter in env.AWS_DEFAULT_REGION) { exposedSecret = "$exposedSecret $letter" } echo "$exposedSecret" } } }{code} The secret can be easily viewed. Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.	A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret. For this use case, withCredentials is broken: {code:java} node { stage('Break Security') { withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'), string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'), string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) { def exposedSecret = "" for(letter in env.AWS_DEFAULT_REGION) { exposedSecret = "$exposedSecret $letter" } echo "$exposedSecret" } } }{code} The secret can be easily viewed. Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.

Andres Pineros made changes - 2018-03-19 00:34

Description

A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

For this use case, withCredentials is broken:
{code:java}
node {
stage('Break Security') {
withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
def exposedSecret = ""
for(letter in env.AWS_DEFAULT_REGION) {
exposedSecret = "$exposedSecret $letter"
}
echo "$exposedSecret"
}
}
}{code}
The secret can be easily viewed.

Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.

A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

For this use case, withCredentials is broken:
{code:java}
node {
  stage('Break Security') {
    withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
    string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
    string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
      def exposedSecret = ""
      for(letter in env.AWS_DEFAULT_REGION) {
        exposedSecret = "$exposedSecret $letter"
      }
      echo "$exposedSecret"
    }
  }
}{code}
The secret can be easily viewed.

Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.

Andres Pineros made changes - 2018-03-19 00:36

Description

A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

For this use case, withCredentials is broken:
{code:java}
node {
  stage('Break Security') {
    withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
    string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
    string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
      def exposedSecret = ""
      for(letter in env.AWS_DEFAULT_REGION) {
        exposedSecret = "$exposedSecret $letter"
      }
      echo "$exposedSecret"
    }
  }
}{code}
The secret can be easily viewed.

Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.

A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

For this use case, withCredentials is broken:
{code:java}
node {
  stage('Break Security') {
    withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
    string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
    string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
      def exposedSecret = ""
      for(letter in env.AWS_SECRET_ACCESS_KEY) {
        exposedSecret = "$exposedSecret $letter"
      }
      echo "$exposedSecret"
    }
  }
}{code}
The secret can be easily viewed.

Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.
For this example I used "Secret Text", but it also happens with "AWS Credentials".

Andres Pineros made changes - 2018-03-19 01:33

Summary

withCredentials step masking isn't secure

withCredentials step masking easily bypassed

Jesse Glick made changes - 2018-03-19 13:28

Remote Link

This issue links to "PR 49 (Web Link)" [ 20272 ]

Jesse Glick made changes - 2018-03-19 13:31

Resolution		Not A Defect [ 7 ]
Status	Open [ 1 ]	Resolved [ 5 ]

Jesse Glick made changes - 2018-03-19 22:02

Remote Link

This issue links to "Page (Jenkins Wiki)" [ 20282 ]

Jesse Glick made changes - 2018-03-19 22:03

Remote Link

This issue links to "Page (Jenkins Wiki)" [ 20282 ]

Kalle Niemitalo made changes - 2020-02-08 08:17

Link

This issue is duplicated by ~~JENKINS-60962~~ [ ~~JENKINS-60962~~ ]

Kalle Niemitalo made changes - 2020-02-29 07:19

Link

This issue relates to ~~JENKINS-54538~~ [ ~~JENKINS-54538~~ ]

Kalle Niemitalo made changes - 2020-02-29 08:34

Link

This issue relates to JENKINS-61277 [ JENKINS-61277 ]

People

Assignee:: Unassigned

Reporter:: Andres Pineros

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-03-19 00:32

Updated:: 2020-02-29 08:34

Resolved:: 2018-03-19 13:31