-
Bug
-
Resolution: Unresolved
-
Minor
-
None
A common headache in my company's Jenkinsfiles is a log nag, emitted by httpRequest code like this:
withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: "token $TOKEN", ]], url: 'http://example.com', ) }
(Note the double-quoted string for value). The above code works, but generates a warning like so:
Warning: A secret was passed to "httpRequest" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TOKEN] See https://jenkins.io/redirect/groovy-string-interpolation for details.
The problem is, it's not possible to fix this error. The below code generates HTTP 401 errors (note the single-quoted string for value):
withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: 'token $TOKEN', ]], url: 'http://example.com', ) }
This was first noticed in JENKINS-65555, but the suggested workaround there generates the warning described above, so I felt that it made sense to create a new issue with more background information.
[JENKINS-67217] String interpolation doesn't work properly for credentials
| Description |
Original:
A common headache in my company's Jenkinsfiles is a log nag, emitted by {{httpRequest}} code like this:
{code:java} withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: "token $TOKEN", ]], url: 'http://example.com', ) }{code} The above code works, but generates a warning like so: {noformat} Warning: A secret was passed to "httpRequest" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TOKEN] See https://jenkins.io/redirect/groovy-string-interpolation for details.{noformat} The problem is, it's not possible to fix this error. The below code generates HTTP 401 errors: {code:java} withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: 'token $TOKEN', ]], url: 'http://example.com', ) } {code} This was first noticed in JENKINS-65555, but the suggested workaround there generates a warning, so I felt that it made sense to create a new issue with more background information. |
New:
A common headache in my company's Jenkinsfiles is a log nag, emitted by {{httpRequest}} code like this:
{code:java} withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: "token $TOKEN", ]], url: 'http://example.com', ) }{code} (Note the double-quoted string for {{value}}). The above code works, but generates a warning like so: {noformat} Warning: A secret was passed to "httpRequest" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TOKEN] See https://jenkins.io/redirect/groovy-string-interpolation for details.{noformat} The problem is, it's not possible to fix this error. The below code generates HTTP 401 errors (note the single-quoted string for {{value}}): {code:java} withCredentials([string(credentialsId: 'secret-token', variable: 'TOKEN')]) { httpRequest( customHeaders: [[ maskValue: true, name: 'Authorization', value: 'token $TOKEN', ]], url: 'http://example.com', ) } {code} This was first noticed in JENKINS-65555, but the suggested workaround there generates the warning described above, so I felt that it made sense to create a new issue with more background information. |
Fabrizio C.
added a comment - I have the same problem with the URL passed to httpRequest 
Steven
added a comment - Running into the exact same problem. What is the '+' workaround? 
A workaround is to use + rather than Groovy string interpolation.