Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63254

Warn against using secrets in groovy strings

XMLWordPrintable

    • 2.85

      It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

      In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:

      // Terribly obvious example
node {
    withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh "echo $PASSWORD"
    }
}

      Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:

      node {
    withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh 'echo $PASSWORD'
    }
}

      This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.

          [JENKINS-63254] Warn against using secrets in groovy strings

          Reinhold Füreder added a comment -

          According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?

          Reinhold Füreder added a comment - According to https://github.com/jenkinsci/workflow-cps-plugin/blob/master/CHANGELOG.md this nice feature has allegedly already been released? But ticket status is still "Open"?

          Carroll Chiou added a comment -

          That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog.

          That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.

          Carroll Chiou added a comment - That was actually a mistake as I meant to only prepare the changelog for a 2.85 release. Will correct the changelog. That said, the commit only happened an hour ago, so it is fair to say that these ticket may not be updated instantaneously the moment of release/merge.

          Christoph Kulla added a comment -

          There is a potential regression, see JENKINS-64185.

          Christoph Kulla added a comment - There is a potential regression, see JENKINS-64185 .

          Claus Köll added a comment -

          As described the warn message will be displayed if double quotes will be used.

          // Terribly obvious example
node {
    withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh "echo $PASSWORD"
    }
}

          But we use following snippet in a groovy script.

          withCredentials([string(credentialsId: credentialId, variable: 'password')]) {     
    bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}"
}

          I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block.

          Is there a other way ?

          Claus Köll added a comment - As described the warn message will be displayed if double quotes will be used. // Terribly obvious example node { withCredentials([usernamePassword(credentialsId: 'bobid' , usernameVariable: 'USERNAME' , passwordVariable: 'PASSWORD' )]) { sh "echo $PASSWORD" } } But we use following snippet in a groovy script. withCredentials([string(credentialsId: credentialId, variable: 'password' )]) {     bat "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME} -Dflyway.password=${password}" } I think we need double quotes because we want to use the environment variable env.USER_NAME inside the script block. Is there a other way ?

          Claus Köll added a comment -

          carroll As mentioned in my previous comment is there a other way to user variables in single quotes ?

          Claus Köll added a comment - carroll As mentioned in my previous comment is there a other way to user variables in single quotes ?

          Carroll Chiou added a comment -

          c_koell In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe:

          "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'

          Carroll Chiou added a comment - c_koell In your particular case, you might try and break down the command into a combination of single and double quotes. So maybe: "mvn flyway:baseline -P${mavenProfile} -Duser.name=${env.USER_NAME}" + '-Dflyway.password=${password}'

          Jesse Glick added a comment -

          carroll c_koell no, use

          withEnv(["PROFILE=$mavenProfile"]) {
  withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD')]) {
    bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%'
  }
}

          Jesse Glick added a comment - carroll c_koell no, use withEnv([ "PROFILE=$mavenProfile" ]) { withCredentials([string(credentialsId: credentialId, variable: 'PASSWORD' )]) { bat 'mvn flyway:baseline -P%PROFILE% -Duser.name=%USER_NAME% -Dflyway.password=%PASSWORD%' } }

          Claus Köll added a comment -

          Thanks i will try it ...

          Claus Köll added a comment - Thanks i will try it ...

            carroll Carroll Chiou
            carroll Carroll Chiou
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: