Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59214

BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When utilizing the "Mask Passwords Plugin" https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugin

      In a Jenkins Pipeline Job as follows:

      vaultlookupsecret = 'mysupersekr3tp@sswordstuffz'
      
      wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'vaultlookupsecret', password: vaultlookupsecret]], varMaskRegexes: []]) {
      
        script{
          mystuff = sh(script: "/bin/bash script.sh -p \"${vaultlookupsecret}\" > output_upload.txt", returnStatus: true).toString().trim()
        }
      }
      

      Within the "normal" jenkins job logs - this is properly masked as expected- and appears as follows:

      + /bin/bash script.sh -p ********

       

      When viewing these same log(s) in the "BlueOcean" Pane - the top level step displays the commandline including the password in plaintext. When selecting the "dropdown" on this item within blueocean - the log display(s) the same commandline with the properly "masked" data.

       

      Top Level/Label in Blue Ocean:

      /bin/bash script.sh -p mysupersekr3tp@sswordstuffz

       

      Drop-Down in Blue Ocean:

      + /bin/bash script.sh -p ********

       

      I'm not sure if there is some configuration i need to make within BlueOcean, but "normal" logs are masked properly, it is only "BlueOcean" logs which seem unmasked (even though when selecting the drop-down - the log is again masked.

       

      Version(s):

      Jenkins 2.176.1

      BlueOcean Plugin: 1.17.0

      Mask Passwords Plugin 2.12.0

       

      Note: I selected "componenets: core" as i "think" the BlueOcean Plugin is technically "core" now - and there isn't a component for "BlueOcean Specifically.

       

        Attachments

          Activity

          Hide
          pritam35 Pritam Sangani added a comment -

          The workaround that my team used was to add the secret variables in a withEnv block like this:

          withEnv([PASSWORD=mypassword]) {
              sh echo $PASSWORD
          }
          

           

          This would stop the pipeline steps from showing the command and instead would just print "Shell Script". 

          This is a workaround - I really hope the team fix this soon as it is a big security flaw

          Show
          pritam35 Pritam Sangani added a comment - The workaround that my team used was to add the secret variables in a withEnv block like this: withEnv([PASSWORD=mypassword]) {     sh echo $PASSWORD }   This would stop the pipeline steps from showing the command and instead would just print "Shell Script".  This is a workaround - I really hope the team fix this soon as it is a big security flaw
          Hide
          kmushegi Kote Mushegiani added a comment -

          Pritam Sangani can you please describe your workaround with a bit more detail? I tried using withEnv inside the wrap() block and in the BlueOcean header the secret still shows up. It is however masked in the drop-down as well as the pipeline.log file under artifacts.

          Show
          kmushegi Kote Mushegiani added a comment - Pritam Sangani can you please describe your workaround with a bit more detail? I tried using withEnv inside the wrap() block and in the BlueOcean header the secret still shows up. It is however masked in the drop-down as well as the pipeline.log file under artifacts.
          Hide
          kmushegi Kote Mushegiani added a comment -

          I did manage to get this working using Pritam Sangani's suggestion. The trick is to use single-quotes per documentation spec here: jenkins.io/doc/pipeline/steps/credentials-binding/ Same logic with env variable interpolation seems to apply.

           

          Here's a working config that is masked both in logs and in the BlueOcean step header.

           

          token = "super-secret-sauce"
          final URL="https://${token}@url.io/"
          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: URL]]]) {            
              withEnv(["URL=${URL}"]) {
                  curlOut = this.sh(script: 'curl -s -w \"%{http_code}\" $URL', returnStdout:true)            
                  curlHttpCode=curlOut.replaceAll("\\s","").replaceAll("\\n|\\r","").replaceAll("\\{|\\}","")
                  echo curlHttpCode
                  assert curlHttpCode.equals("200")
              }
          }
          

           

           

          Show
          kmushegi Kote Mushegiani added a comment - I did manage to get this working using Pritam Sangani 's suggestion. The trick is to use single-quotes per documentation spec here: jenkins.io/doc/pipeline/steps/credentials-binding/ Same logic with env variable interpolation seems to apply.   Here's a working config that is masked  both in logs and in the BlueOcean step header.   token = " super -secret-sauce" final URL= "https: //${token}@url.io/" wrap([$class: 'MaskPasswordsBuildWrapper' , varPasswordPairs: [[password: URL]]]) { withEnv([ "URL=${URL}" ]) { curlOut = this .sh(script: 'curl -s -w \ "%{http_code}\" $URL' , returnStdout: true ) curlHttpCode=curlOut.replaceAll( "\\s" , "").replaceAll(" \\n|\\r "," ").replaceAll(" \\{|\\} "," ") echo curlHttpCode assert curlHttpCode.equals( "200" ) } }    
          Hide
          bitwiseman Liam Newman added a comment - - edited

          The documentation says it is not recommended to use groovy string interpolation with secrets. See JENKINS-47101. \

          If you follow that recommendation and use single-quotes string literals there is no issue.

          Show
          bitwiseman Liam Newman added a comment - - edited The documentation says it is not recommended to use groovy string interpolation with secrets . See JENKINS-47101 . \ If you follow that recommendation and use single-quotes string literals there is no issue.
          Hide
          drw_08 Windom WU added a comment -

          try to use groovy escape sign "\" in fornt of dollar sign in double quote content

          withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \
          keystoreVariable: 'CERTIFICATE_FOR_XYZ', \
          passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) {

          sh """

          echo \${XYZ-CERTIFICATE-PASSWORD}

          """

          Show
          drw_08 Windom WU added a comment - try to use groovy escape sign "\" in fornt of dollar sign in double quote content withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \ keystoreVariable: 'CERTIFICATE_FOR_XYZ', \ passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) { sh """ echo \${XYZ-CERTIFICATE-PASSWORD} """

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jlang1 Jason Lang
            Votes:
            15 Vote for this issue
            Watchers:
            19 Start watching this issue

              Dates

              Created:
              Updated: