• Type: Bug
• Resolution: Duplicate
• Priority: Minor
• Component/s: credentials-binding-plugin, credentials-plugin
• Labels:

  • Jenkins-Bug
  • Security
• Environment:

  Jenkins ver. 2.190.3
  Credentials Binding Plugin 1.2.0
  Credentials Plugin 2.3.0
  Jenkins Git plugin 4.0.0
  Jenking Git client plugin 3.0.0

[JENKINS-63618] Branch (or repo) specifiers are obfuscated with credentials (security implications)

John Engelke created issue - 2020-09-07 16:27

John Engelke made changes - 2020-09-07 16:28

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git GIT_BRANCH=origin/***{quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('****') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:28

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:29

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:29

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:30

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

Mark Waite made changes - 2020-09-07 16:40

Component/s	Original: git-client-plugin [ 17423 ]
Component/s	Original: git-plugin [ 15543 ]

Mark Waite made changes - 2020-09-07 16:40

Assignee

Original: Mark Waite [ markewaite ]

Collapse comment: Mark Waite added a comment - 2020-09-07 16:48

Mark Waite added a comment - 2020-09-07 16:48

The git plugin and the git client plugin do not mask sensitive information. Masking is happening at a different level. I've removed the git plugin and git client plugin from the list of components.

I believe that the Jenkins security team would advise that displaying a credential value in a console log and relying on masking to hide the credential value is prone to many forms of attack.

For example, since the masking is likely applied to the entire console log, an attacker could echo the contents of a password guessing data file to the console log and watch for interesting output. No need to spend the effort creating branches, just list the contents of a file to the console log and see the results.

Expand comment: Mark Waite added a comment - 2020-09-07 16:48

Mark Waite added a comment - 2020-09-07 16:48 The git plugin and the git client plugin do not mask sensitive information. Masking is happening at a different level. I've removed the git plugin and git client plugin from the list of components. I believe that the Jenkins security team would advise that displaying a credential value in a console log and relying on masking to hide the credential value is prone to many forms of attack. For example, since the masking is likely applied to the entire console log, an attacker could echo the contents of a password guessing data file to the console log and watch for interesting output. No need to spend the effort creating branches, just list the contents of a file to the console log and see the results.

Collapse comment: Mark Waite added a comment - 2020-09-07 17:10

Mark Waite added a comment - 2020-09-07 17:10

I suspect that the plugin providing the masking is the "mask passwords" plugin.

Expand comment: Mark Waite added a comment - 2020-09-07 17:10

Mark Waite added a comment - 2020-09-07 17:10 I suspect that the plugin providing the masking is the "mask passwords" plugin.

Load more newer events