Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64282

Checking password parameter's secret in string interpolation looks strange

    XMLWordPrintable

Details

    • 3.7

    Description

      In our pipeline we are using a password parameter with an empty default value. After upgrading to wokflow-cps-plugin version 2.85 we are getting in the build log a warning "A secret was passed to "echo" using Groovy String interpolation, which is insecure." for string interpolations, if the paramater's value is not set for the build.

      As an example when running a simple pipeline:

       

      pipeline {
          agent any
          parameters {
              string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
              password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
          }
          stages {
              stage('Example') {
                  steps {
                      echo "Hello ${params.PERSON}"
                  }
              }
          }
      }

       we are getting warning:

       

      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] withEnv
      Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [PASSWORD]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      [Pipeline] {
      [Pipeline] stage
      [Pipeline] { (Example)
      [Pipeline] echo
      Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [PASSWORD]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      HelloMrJenkins
      [Pipeline] }
      

      Looks like the interpolation check looks for an empty value in the string interpolation.

      Is it possible not to check in case of an empty secret?

       

      Attachments

        Activity

          kship Konstantin Shipkov created issue -
          kship Konstantin Shipkov made changes -
          Field Original Value New Value
          Description In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

          As an example when running a simple pipeline:

           
          {code:java}
          #!/usr/bin/env groovypipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           

          we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

           
          In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

          As an example when running a simple pipeline:

           
          {code:java}
          pipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

           
          kship Konstantin Shipkov made changes -
          Description In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

          As an example when running a simple pipeline:

           
          {code:java}
          pipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

           
          In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

          As an example when running a simple pipeline:

           
          {code:java}
          pipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

          Is it possible not to check in case of an empty secret?

           
          kship Konstantin Shipkov made changes -
          Description In our pipeline we are using a password parameter with an empty default value. If the paramater's value is not set for the build, we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations.

          As an example when running a simple pipeline:

           
          {code:java}
          pipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

          Is it possible not to check in case of an empty secret?

           
          In our pipeline we are using a password parameter with an empty default value. After upgrading to wokflow-cps-plugin version 2.85 we are getting in the build log a warning _"A secret was passed to "echo" using Groovy String interpolation, which is insecure._" for string interpolations, if the paramater's value is not set for the build.

          As an example when running a simple pipeline:

           
          {code:java}
          pipeline {
              agent any
              parameters {
                  string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
                  password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
              }
              stages {
                  stage('Example') {
                      steps {
                          echo "Hello ${params.PERSON}"
                      }
                  }
              }
          }{code}
           we are getting warning:

           
          {code:java}
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] withEnv
          Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Example)
          [Pipeline] echo
          Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure.
          Affected argument(s) used the following variable(s): [PASSWORD]
          See https://jenkins.io/redirect/groovy-string-interpolation for details.
          HelloMrJenkins
          [Pipeline] }
          {code}
          Looks like the interpolation check looks for an empty value in the string interpolation.

          Is it possible not to check in case of an empty secret?

           
          carroll Carroll Chiou made changes -
          Assignee Carroll Chiou [ carroll ]
          carroll Carroll Chiou made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          carroll Carroll Chiou added a comment - - edited

          This is probably best handled in workflow-support, but I'm also hardening workflow-cps as well.

          workflow-support PR: https://github.com/jenkinsci/workflow-support-plugin/pull/112

          workflow-cps PR : https://github.com/jenkinsci/workflow-cps-plugin/pull/401

          carroll Carroll Chiou added a comment - - edited This is probably best handled in workflow-support, but I'm also hardening workflow-cps as well. workflow-support PR: https://github.com/jenkinsci/workflow-support-plugin/pull/112 workflow-cps PR : https://github.com/jenkinsci/workflow-cps-plugin/pull/401
          carroll Carroll Chiou made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Fixed but Unreleased [ 10203 ]
          carroll Carroll Chiou made changes -
          Component/s workflow-support-plugin [ 21719 ]
          Component/s workflow-cps-plugin [ 21713 ]
          carroll Carroll Chiou made changes -
          Released As 3.7
          Status Fixed but Unreleased [ 10203 ] Resolved [ 5 ]

          People

            carroll Carroll Chiou
            kship Konstantin Shipkov
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: