Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56674

In case of execute withDockerContainer inside withDockerCotainer env variables is not masked

    XMLWordPrintable

Details

    • docker-workflow 1.18

    Description

      Since it's related to security leaks of credentials up this ticket to Major priority. 

      Such scenario is needed to be able to reproduce the issue:

      node {
        withDockerContainer(image: 'docker', args: '-v /var/run/docker.sock:/var/run/docker.sock') {
          env.TEST_PWD = 'pwd12345'
          withDockerContainer(image: 'docker', args: '-v /var/run/docker.sock:/var/run/docker.sock') {
      	sh('echo test')
          }
        }
      }
      

       will pass but all env variables will not be masked in case of run the second (internal) withDockerContainer

       

      6.514 [prj #1] [Pipeline] node
         6.617 [prj #1] Running on master in /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj
         6.617 [prj #1] [Pipeline] {
         7.814 [prj #1] [Pipeline] withDockerContainer
         7.814 [prj #1] Jenkins does not seem to be running inside a container
         7.815 [prj #1] $ docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat
         7.815 [prj #1] $ docker top c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 -eo pid,comm
         7.815 [prj #1] [Pipeline] {
        10.504 [prj #1] [Pipeline] withDockerContainer
        10.504 [prj #1] ERROR: Failed to parse docker version. Please note there is a minimum docker version requirement of v1.7.
        10.505 [prj #1] Jenkins does not seem to be running inside a container
        10.505 [prj #1] $ docker exec --env BUILD_DISPLAY_NAME=#1 --env BUILD_ID=1 --env BUILD_NUMBER=1 --env BUILD_TAG=jenkins-prj-1 --env BUILD_URL=http://localhost:56168/jenkins/job/prj/1/ --env CLASSPATH= --env EXECUTOR_NUMBER=1 --env HUDSON_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env HUDSON_SERVER_COOKIE=586ce441e4ad2814 --env HUDSON_URL=http://localhost:56168/jenkins/ --env JENKINS_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env JENKINS_SERVER_COOKIE=586ce441e4ad2814 --env JENKINS_URL=http://localhost:56168/jenkins/ --env JOB_BASE_NAME=prj --env JOB_NAME=prj --env JOB_URL=http://localhost:56168/jenkins/job/prj/ --env NODE_LABELS=master --env NODE_NAME=master --env TEST_PWD=pwd12345 --env workspace=/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat

       As you can see such string appeared in the output of the job 

      docker exec --env BUILD_DISPLAY_NAME=#1 --env BUILD_ID=1 --env BUILD_NUMBER=1 ...

      Attachments

        Issue Links

          Activity

            vkravets Vladimir Kravets added a comment - - edited
            vkravets Vladimir Kravets added a comment - - edited Possible fix can be found here  https://github.com/jenkinsci/docker-workflow-plugin/pull/166
            jglick Jesse Glick added a comment -

            vkravets please follow responsible disclosure procedures if you even have reason to suspect a security vulnerability anywhere in Jenkins.

            In this case I am not convinced there is a legitimate vulnerability anyway. Running a nested copy of withDockerContainer has no plausible meaning and can be disregarded. Some other (non-sh) steps may run Launcher in non-quiet mode, in which case the Decorator could be printing environment variables in plaintext. Generally speaking that is not considered a risk, since anything which binds genuine secrets to the environment (like withCredentials) should also be masking them against accidental disclosure, though we still prefer to use ArgumentListBuilder.addMasked just in case, as DockerClient.run does in this example.

            jglick Jesse Glick added a comment - vkravets please follow responsible disclosure procedures if you even have reason to suspect a security vulnerability anywhere in Jenkins. In this case I am not convinced there is a legitimate vulnerability anyway. Running a nested copy of withDockerContainer has no plausible meaning and can be disregarded. Some other (non- sh ) steps may run Launcher in non- quiet mode, in which case the Decorator could be printing environment variables in plaintext. Generally speaking that is not considered a risk, since anything which binds genuine secrets to the environment (like withCredentials ) should also be masking them against accidental disclosure, though we still prefer to use ArgumentListBuilder.addMasked just in case, as DockerClient.run does in this example.
            dnusbaum Devin Nusbaum added a comment -

            A fix for this issue was release in version 1.18 of the Docker Pipeline plugin. See the release notes on the plugin's wiki page for details.

            dnusbaum Devin Nusbaum added a comment - A fix for this issue was release in version 1.18 of the Docker Pipeline plugin. See the release notes on the plugin's wiki page for details.

            People

              jglick Jesse Glick
              vkravets Vladimir Kravets
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: