Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63254

Warn against using secrets in groovy strings

    XMLWordPrintable

Details

    • 2.85

    Description

      It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

      In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:

      // Terribly obvious example
      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh "echo $PASSWORD"
          }
      }
      

      Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:

      node {
          withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
              sh 'echo $PASSWORD'
          }
      }
      

      This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.

      Attachments

        Issue Links

          Activity

            People

              carroll Carroll Chiou
              carroll Carroll Chiou
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: