Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54248

readJSON exposes text data, which could contain secured things

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • pipeline-utility-steps-plugin
    • None
    • Jenkins 2.147
      Pipeline utility steps 2.1.0

      When reading a json string into a dict the details pipeline steps page (flowGraphTable) has the full text passed in as the argument.

      In the event that JSON data is gathered using sh (eg via curl or similar) and you want to translate this into a dict with 'readJSON text: foo' the contents of foo are visible in that screen.

      Since it's been made clear that JsonSlurperClassic() is not going to be supported to handle the conversion outside of  step - see https://github.com/jenkinsci/script-security-plugin/pull/77 - there really needs to be an option or something to avoid this exposure in the case that the JSON data to turn into a dict requires obfuscation due to secrets involved (or just hide by default).

      This is particularly concerning as the console output of course doesn't display the variable data when converting to a dict: def foo = readJSON text: myvar

      The blue ocean steps and the details pipeline steps view shows myvar though

      Right now I'm working around this by doing:

      writeFile(file: 'super_temporary.json', text: my_json)
      foo = readJSON file: 'super_temporary.json'
      sh 'rm -f super_temporary.json'

       

      This obviously requires three steps rather than than a single step, which is a bit of a slow down and makes it messier in the output.

       

          [JENKINS-54248] readJSON exposes text data, which could contain secured things

          Chiranth Bagivalu Ramaswamy added a comment -

          HI, I am facing the same issue. Is there a timeline on the issue if it will be addressed. I tried to mask the whole thing like below but even this didn't help. Any other workarounds apart from having to save it as a file?

          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs:[[password:secureString, var:"secureString"]]])

          { readJSON text: secureString }

          Chiranth Bagivalu Ramaswamy added a comment - HI, I am facing the same issue. Is there a timeline on the issue if it will be addressed. I tried to mask the whole thing like below but even this didn't help. Any other workarounds apart from having to save it as a file? wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs:[ [password:secureString, var:"secureString"] ]]) { readJSON text: secureString }

          Alexander Krysko added a comment -

          I experience the same on 2.172, would be nice to have this fixed.

          Alexander Krysko added a comment - I experience the same on 2.172, would be nice to have this fixed.

          Vlad Fedosv added a comment -

          Same issue here, in BlueOcean Jenkins ver. 2.204.5

          Vlad Fedosv added a comment - Same issue here, in BlueOcean Jenkins ver. 2.204.5

          Karl added a comment -

          I seem to have addressed this by providing a label to the step.  EG:
          > secretsJSON = readJSON label: 'Get Secret from AWS', text: sh(returnStdout: true, script: 'make aws-get-secret').trim()

          Karl added a comment - I seem to have addressed this by providing a label to the step.  EG: > secretsJSON = readJSON label: 'Get Secret from AWS' , text: sh(returnStdout: true, script: 'make aws-get-secret').trim()

            rsandell rsandell
            hogarthj James Hogarth
            Votes:
            6 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: