Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54248

readJSON exposes text data, which could contain secured things

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When reading a json string into a dict the details pipeline steps page (flowGraphTable) has the full text passed in as the argument.

      In the event that JSON data is gathered using sh (eg via curl or similar) and you want to translate this into a dict with 'readJSON text: foo' the contents of foo are visible in that screen.

      Since it's been made clear that JsonSlurperClassic() is not going to be supported to handle the conversion outside of  step - see https://github.com/jenkinsci/script-security-plugin/pull/77 - there really needs to be an option or something to avoid this exposure in the case that the JSON data to turn into a dict requires obfuscation due to secrets involved (or just hide by default).

      This is particularly concerning as the console output of course doesn't display the variable data when converting to a dict: def foo = readJSON text: myvar

      The blue ocean steps and the details pipeline steps view shows myvar though

      Right now I'm working around this by doing:

      writeFile(file: 'super_temporary.json', text: my_json)
      foo = readJSON file: 'super_temporary.json'
      sh 'rm -f super_temporary.json'

       

      This obviously requires three steps rather than than a single step, which is a bit of a slow down and makes it messier in the output.

       

        Attachments

          Activity

          Hide
          chiranth Chiranth Bagivalu Ramaswamy added a comment -

          HI, I am facing the same issue. Is there a timeline on the issue if it will be addressed. I tried to mask the whole thing like below but even this didn't help. Any other workarounds apart from having to save it as a file?

          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs:[[password:secureString, var:"secureString"]]])

          { readJSON text: secureString }
          Show
          chiranth Chiranth Bagivalu Ramaswamy added a comment - HI, I am facing the same issue. Is there a timeline on the issue if it will be addressed. I tried to mask the whole thing like below but even this didn't help. Any other workarounds apart from having to save it as a file? wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs:[ [password:secureString, var:"secureString"] ]]) { readJSON text: secureString }
          Hide
          akrysko Alexander Krysko added a comment -

          I experience the same on 2.172, would be nice to have this fixed.

          Show
          akrysko Alexander Krysko added a comment - I experience the same on 2.172, would be nice to have this fixed.
          Hide
          stylet Vlad Fedosv added a comment -

          Same issue here, in BlueOcean Jenkins ver. 2.204.5

          Show
          stylet Vlad Fedosv added a comment - Same issue here, in BlueOcean Jenkins ver. 2.204.5

            People

            Assignee:
            rsandell rsandell
            Reporter:
            hogarthj James Hogarth
            Votes:
            6 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated: