Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59214

BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data


      When utilizing the "Mask Passwords Plugin" https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugin

      In a Jenkins Pipeline Job as follows:

      vaultlookupsecret = 'mysupersekr3tp@sswordstuffz'
      wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'vaultlookupsecret', password: vaultlookupsecret]], varMaskRegexes: []]) {
          mystuff = sh(script: "/bin/bash script.sh -p \"${vaultlookupsecret}\" > output_upload.txt", returnStatus: true).toString().trim()

      Within the "normal" jenkins job logs - this is properly masked as expected- and appears as follows:

      + /bin/bash script.sh -p ********


      When viewing these same log(s) in the "BlueOcean" Pane - the top level step displays the commandline including the password in plaintext. When selecting the "dropdown" on this item within blueocean - the log display(s) the same commandline with the properly "masked" data.


      Top Level/Label in Blue Ocean:

      /bin/bash script.sh -p mysupersekr3tp@sswordstuffz


      Drop-Down in Blue Ocean:

      + /bin/bash script.sh -p ********


      I'm not sure if there is some configuration i need to make within BlueOcean, but "normal" logs are masked properly, it is only "BlueOcean" logs which seem unmasked (even though when selecting the drop-down - the log is again masked.



      Jenkins 2.176.1

      BlueOcean Plugin: 1.17.0

      Mask Passwords Plugin 2.12.0


      Note: I selected "componenets: core" as i "think" the BlueOcean Plugin is technically "core" now - and there isn't a component for "BlueOcean Specifically.


            Unassigned Unassigned
            jlang1 Jason Lang
            18 Vote for this issue
            22 Start watching this issue