Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67074

credentials-binding-plugin reveals secrets

    XMLWordPrintable

Details

    Description

      The credentials-binding-plugin tries to hide its secrets from the jenkins log. I presume the algoritm is to do a simple replace on the known passwords with ****

      The trouble is, if you want to use that password to pass to git... as in...

       

      git clone https://${MYUSER}:${MYPASS}/bitbucket.org/myproject/myrepository
       
      

      that doesn't work because MYPASS has to be url encoded... so what one does is something like:

      git clone  https://${MYUSER}:`echo -n "$MYPASS" | jq -sRr @uri`/bitbucket.org/myproject/myrepository

      This now works BUT since your password is now URL encoded, the secret hiding algorithm will now reveal it in the log.

      I suppose the simplest solution to this is to mask not only the password, but the url encoded password too.

      Attachments

        Activity

          xpusostomos Chris created issue -

          People

            Unassigned Unassigned
            xpusostomos Chris
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: