Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67217

String interpolation doesn't work properly for credentials

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • http-request-plugin
    • None

      A common headache in my company's Jenkinsfiles is a log nag, emitted by httpRequest code like this:

      withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) {
  httpRequest(
    customHeaders: [[
      maskValue: true,
      name: 'Authorization',
      value: "token $TOKEN",
    ]],
    url: 'http://example.com',
  )
}

      (Note the double-quoted string for value). The above code works, but generates a warning like so:

      Warning: A secret was passed to "httpRequest" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TOKEN] See https://jenkins.io/redirect/groovy-string-interpolation for details.

      The problem is, it's not possible to fix this error. The below code generates HTTP 401 errors (note the single-quoted string for value):

      withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) {
 httpRequest(
 customHeaders: [[
   maskValue: true,
   name: 'Authorization',
   value: 'token $TOKEN',
 ]],
 url: 'http://example.com',
 )
}

      This was first noticed in JENKINS-65555, but the suggested workaround there generates the warning described above, so I felt that it made sense to create a new issue with more background information.

       

            janario Janario Oliveira
            nre_ableton Nik Reiman
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: