Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59504

Credentials shown in plaintext in Splunk Console Output

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Do
    • Component/s: splunk-devops-plugin
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Hello,

      I am having difficulties hiding sensitive information from Jenkins console log when sending to Splunk using splunk-devops* plugins and Splunk App for Jenkins.

      I tried using both ways of handling credentials in Jenkins (https://jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials), using declarative pipeline with:

      1. credentials() helper method in environment section, credentials type Username with password
      2. withCredentials step in stage, credentials type Username with password

      If used within the pipeline the information does not get propagated to Splunk (which is probably OK).

      If used in conjunction with for example the 'sh' step, in the first case, the credentials are propagated in plaintext to Splunk, in second case only asterisks (as expected) are propagated:

      (Output from Splunk

      1569315490.309 2019-09-24T08:58:10.309+0000 + echo 'Username and Password: myusername:mysecretpassword'
      1569315490.309 2019-09-24T08:58:10.309+0000 Username and Password: myusername:mysecretpassword
      1569315490.636 2019-09-24T08:58:10.636+0000 + echo 'Username: ****'
      1569315490.636 2019-09-24T08:58:10.636+0000 Username: ****
      1569315490.910 2019-09-24T08:58:10.910+0000 + echo 'Password: ****'
      1569315490.910 2019-09-24T08:58:10.910+0000 Password: ****

      When inspecting the Jenkins console log (see attachment), credentials are properly masked as expected.

      Am I using it wrong? Is the plugin compatible only with "withCredentials" step?

      Thank you for your help.

        Attachments

          Activity

          Hide
          fengxx Ted Xiao added a comment -

          If you click the "pipeline steps" on job build page, you will find out something like this

          The step env step executed first before sendSplunkConsoleLog

            environment {
              userAndPass = credentials('5d407101-23e0-43e7-83b6-badfdd189698')
            }
          

          And because sendSplunkConsoleLog is wrapped inside the scope, it sees the clear text instead of masked ones, just like other steps inside withCredentials such as

                  withCredentials([usernameColonPassword(credentialsId: '5d407101-23e0-43e7-83b6-badfdd189698', variable: 'abc')]) {
                    // sh step sees the clear text actually
                     sh "echo $abc > /tmp/abc.txt" 
                  }
          

          I think it is specific to declarative pipeline design: environment step has higher order.

          In the contract, we can control the order of execution in scripted pipeline, such as

          sendSplunkConsoleLog {
              node {
                  echo "testing console log"
                  withCredentials([usernameColonPassword(credentialsId: 'blah', variable: 'abc')]) {
                     echo abc
                     sh "echo $abc"
                     echo "hello there"
                  }
                  echo "done"
              }
          }
          
          Show
          fengxx Ted Xiao added a comment - If you click the "pipeline steps" on job build page, you will find out something like this The step env step executed first before sendSplunkConsoleLog environment { userAndPass = credentials( '5d407101-23e0-43e7-83b6-badfdd189698' ) } And because sendSplunkConsoleLog is wrapped inside the scope, it sees the clear text instead of masked ones, just like other steps inside withCredentials such as withCredentials([usernameColonPassword(credentialsId: '5d407101-23e0-43e7-83b6-badfdd189698' , variable: 'abc' )]) { // sh step sees the clear text actually sh "echo $abc > /tmp/abc.txt" } I think it is specific to declarative pipeline design: environment step has higher order. In the contract, we can control the order of execution in scripted pipeline, such as sendSplunkConsoleLog { node { echo "testing console log" withCredentials([usernameColonPassword(credentialsId: 'blah' , variable: 'abc' )]) { echo abc sh "echo $abc" echo "hello there" } echo "done" } }
          Hide
          fengxx Ted Xiao added a comment -

          I would recommend scripted pipeline for such cases

          Show
          fengxx Ted Xiao added a comment - I would recommend scripted pipeline for such cases

            People

            Assignee:
            fengxx Ted Xiao
            Reporter:
            stanislav_bebej Stanislav Bebej
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: