Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62336

Credentials binding plugin doubling $ characters inside secrets

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Hello,

      we (believe it's that plugin) are having an issue with Credentials Binding plugin version 1.23 (and 1.21).

      The issue:  When you have a dollar sign character "$" as part of your secret inside Jenkins credentials (credential type: secret text), it will actually be converted to double the amount of $ signs. So if your secret is e.g. 123$, it will be converted to 123$$

      We started noticing this issue with Credentials Binding plugin version 1.21 so we upgraded to 1.23 hoping it would be fixed, based on this (read "SECURITY-1835 / CVE-2020-2182")
      https://www.jenkins.io/security/advisory/2018-02-05/#credentials-binding

      Turns out upgrading the plugin only fixes the exposed secret in the logs (another issue we had), but does not fix doubling the $ sign.

      Steps to reproduce:
      1. Add a credential to Jenkins of type "secret text", having the password contain a dollar sign $.
      2. Use the credentials in your plugin and perhaps save it into the file, archive it and read it later to see what the passed credentials is, for us it doubles the $ sign.

      We noticed it in a .yaml file when we used Helm so I'm pasting a portion of that, exactly how we use it. This pipeline below produces a "testrail-template.yaml" and I can read it from Jenkins UI, the password passed in there contains doubled dollar sign character.

      #!/usr/bin/env groovy
      
      @Library('tools') _
      def rdsCredentialsId =  'testrail-test6' 
      
      pipeline {
        agent { label "aws-agent" }
        stages {
            
          stage('test') {
              environment {
              DB_PASSWORD = credentials("${rdsCredentialsId}")
            }
            steps {
                container('jenkins-k8s'){
                script{
                      sh '''
                      helmcustom="helm template -f ./testrail/values-staging.yaml \
                      --set secret.db.password='${DB_PASSWORD}'"
                      
                      bash -c "$helmcustom testrail > testrail-template.yaml"
                      '''
                      archiveArtifacts 'testrail-template.yaml'
                      
                }
              }
            }
          }
        }
      }
      

       

      Let me know if you have any questions!
      Thanks!
      Marcin

       

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            kwic Marcin Kwiecien
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: