The org.jenkinsci.plugins.credentialsbinding.Binding abstract class never validates that the variable parameter/field is non-null. This causes a bug in all of its subclasses (FileBinding, StringBinding, UsernamePasswordBinding, etc.) where if the user doesn't include a variable in the constructor, it tries to use null.
Masking supported pattern matches of $null
Instead, it should throw a proper exception in the constructor if variable is null or empty.