Details
-
Improvement
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
Description
The credentials-binding-plugin tries to hide its secrets from the jenkins log. I presume the algoritm is to do a simple replace on the known passwords with ****
The trouble is, if you want to use that password to pass to git... as in...
git clone https://${MYUSER}:${MYPASS}/bitbucket.org/myproject/myrepository
that doesn't work because MYPASS has to be url encoded... so what one does is something like:
git clone https://${MYUSER}:`echo -n "$MYPASS" | jq -sRr @uri`/bitbucket.org/myproject/myrepository
This now works BUT since your password is now URL encoded, the secret hiding algorithm will now reveal it in the log.
I suppose the simplest solution to this is to mask not only the password, but the url encoded password too.
Attachments
Issue Links
- relates to
-
JENKINS-28335 Pipeline step to run Git commands with credentials & tool
-
- In Review
-
Activity
Kalle Niemitalo
added a comment - JENKINS-28335 git-plugin PR#1104 added GitUsernamePassword credential binding, which writes the username and password to a script file and points the GIT_ASKPASS environment variable to that. If you use that feature instead of embedding the password in the URL, then it will not appear in the console log, I think.
Kalle Niemitalo
added a comment - JENKINS-28335 git-plugin PR#1104 added GitUsernamePassword credential binding, which writes the username and password to a script file and points the GIT_ASKPASS environment variable to that. If you use that feature instead of embedding the password in the URL, then it will not appear in the console log, I think. 
Would just need a https://www.jenkins.io/doc/developer/extensions/credentials-binding/#secretpatternfactory impl for URL encoding.