• Type: Bug
• Resolution: Duplicate
• Priority: Minor
• Component/s: credentials-binding-plugin, credentials-plugin
• Labels:

  • Jenkins-Bug
  • Security
• Environment:

  Jenkins ver. 2.190.3
  Credentials Binding Plugin 1.2.0
  Credentials Plugin 2.3.0
  Jenkins Git plugin 4.0.0
  Jenking Git client plugin 3.0.0

[JENKINS-63618] Branch (or repo) specifiers are obfuscated with credentials (security implications)

John Engelke created issue - 2020-09-07 16:27

John Engelke made changes - 2020-09-07 16:28

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git GIT_BRANCH=origin/***{quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('****') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:28

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. Proposed solution: Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:29

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the branch name in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:29

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

John Engelke made changes - 2020-09-07 16:30

Description

Original: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('***') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

New: If a branch (or repo) is named identically to a user id or password stored in credentials, Jenkins obfuscates the identifier in the logs. (ENV dump below.) {quote}GITREPO=git@github.foo.org:****/sample-project.git  GIT_BRANCH=origin/*** {quote} For example, my username/password combo stored in credentials is *folly*/*isthisexample*. Let's say I named my branch *isthisexample*, then the branch name would be obfuscated with four asterisks ('\*\*\*') in logs. Similarly, assume my org is named *folly*, then a branch or org named *folly* also would be obfuscated in logs. Besides the obvious implications for debugging checkouts and branch detections, this is a clear security risk. If I know a username but I don't know a password, all I need to do is build a branch with my best guess, and Jenkins will tell me that my password guess is correct by showing me four stars. Similarly a validation is also offered for usernames. *Proposed solution:* Repo and branch identifiers are not run through an obfuscation filter. Moreover, ONLY the credential-specific pieces should be run through an obfuscation filter.

Mark Waite made changes - 2020-09-07 16:40

Component/s	Original: git-client-plugin [ 17423 ]
Component/s	Original: git-plugin [ 15543 ]

Mark Waite made changes - 2020-09-07 16:40

Assignee

Original: Mark Waite [ markewaite ]

Daniel Beck made changes - 2020-09-07 18:20

Link

New: This issue duplicates JENKINS-44860 [ JENKINS-44860 ]

Daniel Beck made changes - 2020-09-07 18:20

Resolution		New: Duplicate [ 3 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]