[JENKINS-64282] Checking password parameter's secret in string interpolation looks strange - Jenkins Jira

Konstantin Shipkov created issue - 2020-11-23 06:53

Konstantin Shipkov made changes - 2020-11-23 06:54

Field	Original Value	New Value
Description	In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations. As an example when running a simple pipeline: {code:java} #!/usr/bin/env groovypipeline { agent any parameters { string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?') password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password') } stages { stage('Example') { steps { echo "Hello ${params.PERSON}" } } } }{code} we are getting warning: {code:java} [Pipeline] } [Pipeline] // stage [Pipeline] withEnv Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. [Pipeline] { [Pipeline] stage [Pipeline] { (Example) [Pipeline] echo Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. HelloMrJenkins [Pipeline] } {code} Looks like the interpolation check looks for an empty value in the string interpolation.	In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations. As an example when running a simple pipeline: {code:java} pipeline { agent any parameters { string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?') password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password') } stages { stage('Example') { steps { echo "Hello ${params.PERSON}" } } } }{code} we are getting warning: {code:java} [Pipeline] } [Pipeline] // stage [Pipeline] withEnv Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. [Pipeline] { [Pipeline] stage [Pipeline] { (Example) [Pipeline] echo Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. HelloMrJenkins [Pipeline] } {code} Looks like the interpolation check looks for an empty value in the string interpolation.

Konstantin Shipkov made changes - 2020-11-23 06:58

Description

In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

As an example when running a simple pipeline:

{code:java}
pipeline {
    agent any
    parameters {
        string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
        password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
    }
    stages {
        stage('Example') {
            steps {
                echo "Hello ${params.PERSON}"
            }
        }
    }
}{code}
we are getting warning:

{code:java}
[Pipeline] }
[Pipeline] // stage
[Pipeline] withEnv
Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Example)
[Pipeline] echo
Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
HelloMrJenkins
[Pipeline] }
{code}
Looks like the interpolation check looks for an empty value in the string interpolation.

In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

As an example when running a simple pipeline:

{code:java}
pipeline {
    agent any
    parameters {
        string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
        password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
    }
    stages {
        stage('Example') {
            steps {
                echo "Hello ${params.PERSON}"
            }
        }
    }
}{code}
we are getting warning:

{code:java}
[Pipeline] }
[Pipeline] // stage
[Pipeline] withEnv
Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Example)
[Pipeline] echo
Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
HelloMrJenkins
[Pipeline] }
{code}
Looks like the interpolation check looks for an empty value in the string interpolation.

Is it possible not to check in case of an empty secret?

Konstantin Shipkov made changes - 2020-11-23 07:02

Description

In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

As an example when running a simple pipeline:

{code:java}
pipeline {
    agent any
    parameters {
        string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
        password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
    }
    stages {
        stage('Example') {
            steps {
                echo "Hello ${params.PERSON}"
            }
        }
    }
}{code}
we are getting warning:

{code:java}
[Pipeline] }
[Pipeline] // stage
[Pipeline] withEnv
Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Example)
[Pipeline] echo
Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
HelloMrJenkins
[Pipeline] }
{code}
Looks like the interpolation check looks for an empty value in the string interpolation.

Is it possible not to check in case of an empty secret?

In our pipeline we are using a password parameter with an empty default value. After upgrading to wokflow-cps-plugin version 2.85 we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations, if the paramater's value is not set for the build.

As an example when running a simple pipeline:

{code:java}
pipeline {
    agent any
    parameters {
        string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
        password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
    }
    stages {
        stage('Example') {
            steps {
                echo "Hello ${params.PERSON}"
            }
        }
    }
}{code}
we are getting warning:

{code:java}
[Pipeline] }
[Pipeline] // stage
[Pipeline] withEnv
Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Example)
[Pipeline] echo
Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [PASSWORD]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
HelloMrJenkins
[Pipeline] }
{code}
Looks like the interpolation check looks for an empty value in the string interpolation.

Is it possible not to check in case of an empty secret?

Carroll Chiou made changes - 2020-11-25 06:37

Assignee

Carroll Chiou [ carroll ]

Carroll Chiou made changes - 2020-11-25 06:37

Status

Open [ 1 ]

In Progress [ 3 ]

Carroll Chiou added a comment - 2020-11-25 07:36 - edited

This is probably best handled in workflow-support, but I'm also hardening workflow-cps as well.

workflow-support PR: https://github.com/jenkinsci/workflow-support-plugin/pull/112

workflow-cps PR : https://github.com/jenkinsci/workflow-cps-plugin/pull/401

Carroll Chiou added a comment - 2020-11-25 07:36 - edited This is probably best handled in workflow-support, but I'm also hardening workflow-cps as well. workflow-support PR: https://github.com/jenkinsci/workflow-support-plugin/pull/112 workflow-cps PR : https://github.com/jenkinsci/workflow-cps-plugin/pull/401

Carroll Chiou made changes - 2020-11-26 07:55

Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Fixed but Unreleased [ 10203 ]

Carroll Chiou made changes - 2020-11-30 21:16

Component/s		workflow-support-plugin [ 21719 ]
Component/s	workflow-cps-plugin [ 21713 ]

Carroll Chiou made changes - 2020-12-01 05:27

Released As		3.7
Status	Fixed but Unreleased [ 10203 ]	Resolved [ 5 ]

Jenkins

Checking password parameter's secret in string interpolation looks strange

Details

Description

Attachments

Activity

People

Dates