Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59214

BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data

      When utilizing the "Mask Passwords Plugin" https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugin

      In a Jenkins Pipeline Job as follows:

      vaultlookupsecret = 'mysupersekr3tp@sswordstuffz'
      
      wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'vaultlookupsecret', password: vaultlookupsecret]], varMaskRegexes: []]) {
      
        script{
          mystuff = sh(script: "/bin/bash script.sh -p \"${vaultlookupsecret}\" > output_upload.txt", returnStatus: true).toString().trim()
        }
      }
      

      Within the "normal" jenkins job logs - this is properly masked as expected- and appears as follows:

      + /bin/bash script.sh -p ********

       

      When viewing these same log(s) in the "BlueOcean" Pane - the top level step displays the commandline including the password in plaintext. When selecting the "dropdown" on this item within blueocean - the log display(s) the same commandline with the properly "masked" data.

       

      Top Level/Label in Blue Ocean:

      /bin/bash script.sh -p mysupersekr3tp@sswordstuffz

       

      Drop-Down in Blue Ocean:

      + /bin/bash script.sh -p ********

       

      I'm not sure if there is some configuration i need to make within BlueOcean, but "normal" logs are masked properly, it is only "BlueOcean" logs which seem unmasked (even though when selecting the drop-down - the log is again masked.

       

      Version(s):

      Jenkins 2.176.1

      BlueOcean Plugin: 1.17.0

      Mask Passwords Plugin 2.12.0

       

      Note: I selected "componenets: core" as i "think" the BlueOcean Plugin is technically "core" now - and there isn't a component for "BlueOcean Specifically.

       

          [JENKINS-59214] BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data

          Jason Lang created issue -
          Oleg Nenashev made changes -
          Component/s New: blueocean-plugin [ 21481 ]
          Component/s Original: core [ 21134 ]
          Key Original: INFRA-2246 New: JENKINS-59214
          Workflow Original: classic default workflow [ 238988 ] New: JNJira + In-Review [ 239069 ]
          Project Original: Infrastructure [ 10301 ] New: Jenkins [ 10172 ]
          Gavin Mogan made changes -
          Component/s New: mask-passwords-plugin [ 15761 ]
          Vishal Meghani made changes -
          Attachment New: Screen Shot 2019-10-04 at 4.35.13 PM.png [ 49024 ]

          Seeing strange behavior

          if I use below echo then password is not printed in top level step 

          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: pwd, var: user]]]) {
          this.sh(script: "echo pwd is : ${pwd} and uesr : ${user} abc0-myrepo2-0-prd.site.my.net").toString().trim()
          }

          but if i remove abc0-myrepo2-0-prd.site.my.net then header shows the pwd.

          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: pwd, var: user]]]) {
          this.sh(script: "echo pwd is : ${pwd} and user : ${user} ").toString().trim()
          }

          Adding here for reference to whoever is working on fixing this. Thanks.

           

          Vishal Meghani added a comment - Seeing strange behavior if I use below echo then password is not printed in top level step  wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [ [password: pwd, var: user] ]]) { this.sh(script: "echo pwd is : ${pwd} and uesr : ${user} abc0-myrepo2-0-prd.site.my.net").toString().trim() } but if i remove abc0-myrepo2-0-prd.site.my.net then header shows the pwd. wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [ [password: pwd, var: user] ]]) { this.sh(script: "echo pwd is : ${pwd} and user : ${user} ").toString().trim() } Adding here for reference to whoever is working on fixing this. Thanks.  
          Simon O made changes -
          Attachment New: normalLog.png [ 51654 ]
          Simon O made changes -
          Attachment New: blueOceanUi.png [ 51655 ]
          Simon O made changes -
          Attachment New: pipelineStepsUi.png [ 51656 ]

          Simon O added a comment -

          Hi,

          I am facing the same issue but for me also the pipeline steps view (flowGraphTable) is affected and reveals all my sensitive data. I also tried using the log file filter plugin as well but the same behaviour could be observed.

          The issue can be explored by using the following pipeline snippet:

          node {

              def someSecret = "someSecret"

              wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: someSecret]]])

          {         echo "Secret String: " + someSecret     }

          }

          The console + raw log is hiding the secret properly:

          Blue Ocean UI reveals the secret inside the header:

          Pipeline Steps View reveals secrets as well:

          Is there anything I am doing wrong here or is there another approach recommended for hiding sensitive data? Any help to solve the issue is highly appreciated.

          Best Regards,

          Simon

           

           

          Simon O added a comment - Hi, I am facing the same issue but for me also the pipeline steps view (flowGraphTable) is affected and reveals all my sensitive data. I also tried using the log file filter plugin as well but the same behaviour could be observed. The issue can be explored by using the following pipeline snippet: node {     def someSecret = "someSecret"     wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [ [password: someSecret] ]]) {         echo "Secret String: " + someSecret     } } The console + raw log is hiding the secret properly: Blue Ocean UI reveals the secret inside the header: Pipeline Steps View reveals secrets as well: Is there anything I am doing wrong here or is there another approach recommended for hiding sensitive data? Any help to solve the issue is highly appreciated. Best Regards, Simon    
          Simon O made changes -
          Summary Original: BlueOcean output does not honor MaskedPassword Plugin New: BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data

            Unassigned Unassigned
            jlang1 Jason Lang
            Votes:
            18 Vote for this issue
            Watchers:
            22 Start watching this issue

              Created:
              Updated: