Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63254

Warn against using secrets in groovy strings

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      2.85

      Description

      It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

      In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:

      // Terribly obvious example
      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh "echo $PASSWORD"
          }
      }
      

      Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:

      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh 'echo $PASSWORD'
          }
      }
      

      This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.

        Attachments

          Issue Links

            Activity

            Hide
            reinholdfuereder Reinhold Füreder added a comment -

            According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?

            Show
            reinholdfuereder Reinhold Füreder added a comment - According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?
            Hide
            carroll Carroll Chiou added a comment -

            That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog.

            That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.

            Show
            carroll Carroll Chiou added a comment - That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog. That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.
            Hide
            ckullabosch Christoph Kulla added a comment -

            There is a potential regression, see JENKINS-64185.

            Show
            ckullabosch Christoph Kulla added a comment - There is a potential regression, see JENKINS-64185 .
            Hide
            c_koell Claus Köll added a comment -

            As described the warn message will be displayed if double quotes will be used.

            // Terribly obvious example
            node {
                withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                    sh "echo $PASSWORD"
                }
            } 

            But we use following snippet in a groovy script.

            withCredentials([string(credentialsId: credentialId, variable: 'password')]) {     
                bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}"
            } 

            I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block.

            Is there a other way ?

            Show
            c_koell Claus Köll added a comment - As described the warn message will be displayed if double quotes will be used. // Terribly obvious example node { withCredentials([usernamePassword(credentialsId: 'bobid' , usernameVariable: 'USERNAME' , passwordVariable: 'PASSWORD' )]) { sh "echo $PASSWORD" } } But we use following snippet in a groovy script. withCredentials([string(credentialsId: credentialId, variable: 'password' )]) {     bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}" } I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block. Is there a other way ?
            Hide
            c_koell Claus Köll added a comment -

            Carroll Chiou As mentioned in my previous comment is there a other way to user variables in single quotes ?

            Show
            c_koell Claus Köll added a comment - Carroll Chiou As mentioned in my previous comment is there a other way to user variables in single quotes ?
            Hide
            carroll Carroll Chiou added a comment -

            Claus Köll In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe:

            "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'
            Show
            carroll Carroll Chiou added a comment - Claus Köll In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe: "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'
            Hide
            jglick Jesse Glick added a comment -

            Carroll Chiou Claus Köll no, use

            withEnv(["PROFILE=$mavenProfile"]) {
              withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD')]) {
                bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%'
              }
            }
            
            Show
            jglick Jesse Glick added a comment - Carroll Chiou Claus Köll no, use withEnv([ "PROFILE=$mavenProfile" ]) { withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD' )]) { bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%' } }
            Hide
            c_koell Claus Köll added a comment -

            Thanks i will try it ...

            Show
            c_koell Claus Köll added a comment - Thanks i will try it ...

              People

              Assignee:
              carroll Carroll Chiou
              Reporter:
              carroll Carroll Chiou
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: