Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63254

Warn against using secrets in groovy strings

    XMLWordPrintable

Details

    • 2.85

    Description

      It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

      In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:

      // Terribly obvious example
      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh "echo $PASSWORD"
          }
      }
      

      Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:

      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh 'echo $PASSWORD'
          }
      }
      

      This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.

      Attachments

        Issue Links

          Activity

            According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?

            reinholdfuereder Reinhold Füreder added a comment - According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?
            carroll Carroll Chiou added a comment -

            That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog.

            That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.

            carroll Carroll Chiou added a comment - That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog. That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.

            There is a potential regression, see JENKINS-64185.

            ckullabosch Christoph Kulla added a comment - There is a potential regression, see JENKINS-64185 .
            c_koell Claus Köll added a comment -

            As described the warn message will be displayed if double quotes will be used.

            // Terribly obvious example
            node {
                withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                    sh "echo $PASSWORD"
                }
            } 

            But we use following snippet in a groovy script.

            withCredentials([string(credentialsId: credentialId, variable: 'password')]) {     
                bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}"
            } 

            I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block.

            Is there a other way ?

            c_koell Claus Köll added a comment - As described the warn message will be displayed if double quotes will be used. // Terribly obvious example node { withCredentials([usernamePassword(credentialsId: 'bobid' , usernameVariable: 'USERNAME' , passwordVariable: 'PASSWORD' )]) { sh "echo $PASSWORD" } } But we use following snippet in a groovy script. withCredentials([string(credentialsId: credentialId, variable: 'password' )]) {     bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}" } I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block. Is there a other way ?
            c_koell Claus Köll added a comment -

            carroll As mentioned in my previous comment is there a other way to user variables in single quotes ?

            c_koell Claus Köll added a comment - carroll As mentioned in my previous comment is there a other way to user variables in single quotes ?
            carroll Carroll Chiou added a comment -

            c_koell In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe:

            "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'
            carroll Carroll Chiou added a comment - c_koell In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe: "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'
            jglick Jesse Glick added a comment -

            carroll c_koell no, use

            withEnv(["PROFILE=$mavenProfile"]) {
              withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD')]) {
                bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%'
              }
            }
            
            jglick Jesse Glick added a comment - carroll c_koell no, use withEnv([ "PROFILE=$mavenProfile" ]) { withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD' )]) { bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%' } }
            c_koell Claus Köll added a comment -

            Thanks i will try it ...

            c_koell Claus Köll added a comment - Thanks i will try it ...

            People

              carroll Carroll Chiou
              carroll Carroll Chiou
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: