-
New Feature
-
Resolution: Fixed
-
Major
-
None
-
-
2.85
It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").
In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
// Terribly obvious example node { withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { sh "echo $PASSWORD" } }
Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
node {
withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
sh 'echo $PASSWORD'
}
}
This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
- causes
-
JENKINS-64185 GerritTrigger.setTriggerOnEvents() expects class PluginGerritEvent but received class workflow.cps.DSL$NamedArgsAndClosure
-
- Resolved
-
- is duplicated by
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-