Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63254

Warn against using secrets in groovy strings

XMLWordPrintable

    • 2.85

      It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

      In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:

      // Terribly obvious example
node {
    withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh "echo $PASSWORD"
    }
}

      Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:

      node {
    withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh 'echo $PASSWORD'
    }
}

      This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.

          [JENKINS-63254] Warn against using secrets in groovy strings

          Carroll Chiou created issue -
          Carroll Chiou made changes -
          Description Original: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
                  echo "username is $USERNAME"
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.           		New: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
          Carroll Chiou made changes -
          Description Original: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.           		New: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo s28892cr3t
          s28892cr3t
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo ****
          ****
          [Pipeline] echo
          username is $USERNAME
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
          Carroll Chiou made changes -
          Description Original: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo s28892cr3t
          s28892cr3t
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo ****
          ****
          [Pipeline] echo
          username is $USERNAME
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.           		New: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo s28892cr3t
          s28892cr3t
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo ****
          ****
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
          Carroll Chiou made changes -
          Description Original: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo s28892cr3t
          s28892cr3t
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}
          output:
          {code:bash}
          [Pipeline] {
          [Pipeline] withCredentials
          Masking supported pattern matches of $USERNAME or $PASSWORD
          [Pipeline] {
          [Pipeline] sh
          + echo ****
          ****
          [Pipeline] }
          [Pipeline] // withCredentials
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.           		New: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-47101 [ JENKINS-47101 ]
          Reinhold Füreder made changes -
          Description Original: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.           		New: It is possible to accidentally leak secrets, such as credentials, when using groovy strings (i.e. double quotes ").

          In a groovy string, any secrets in the string will be interpolated by groovy before being processed for further use. This can allow other processes to accidentally expose the secret. For example:
          {code:groovy}
          // Terribly obvious example
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh "echo $PASSWORD"
              }
          }
          {code}

          Any secrets should be used in single quotes so that they are expanded by the shell as an environment variable instead:
          {code:groovy}
          node {
              withCredentials([usernamePassword(credentialsId: 'bobid', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                  sh 'echo $PASSWORD'
              }
          }
          {code}


          This behavior is already discouraged against in the credentials-binding docs as well as various places, but it would be Ideal to have some mechanism that warns against this usage.
          Carroll Chiou made changes -
          Released As New: 2.85
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Fixed but Unreleased [ 10203 ]
          Carroll Chiou made changes -
          Status Original: Fixed but Unreleased [ 10203 ] New: Resolved [ 5 ]
          Carroll Chiou made changes -
          Link New: This issue is duplicated by JENKINS-47101 [ JENKINS-47101 ]
          Jesse Glick made changes -
          Link New: This issue causes JENKINS-64185 [ JENKINS-64185 ]

            carroll Carroll Chiou
            carroll Carroll Chiou
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: