Status: Closed (View Workflow)
Environment:Jenkins ver. 2.190.3
Credentials Binding Plugin 1.2.0
Credentials Plugin 2.3.0
Jenkins Git plugin 4.0.0
Jenking Git client plugin 3.0.0
If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.)
For example, my username/password combo stored in credentials is folly/isthisexample. Let's say I named my branch isthisexample, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named folly, then a branch or org named folly also would be obfuscated in logs.
Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames.
Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.