-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
jenkins/jenkins:lts-jdk11 (linux image deployed in k8s)
workflow-durable-task-step-plugin 1199.v02b_9244f8064
hashicorp-vault-plugin 356.ved18810a_b_828
When using org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true the sample will show the credentials instead of masking them.
Sample:
pipeline {
agent {
kubernetes {
}
}
stages {
stage('test') {
steps {
withVault(
[
[
path: 'some/path',
secretValues: [
[vaultKey: 'foo'],
]
]
]
) {
sh 'echo $foo'
}
}
}
}
}
Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly.
Sadly this setting gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50
- links to
[JENKINS-69781] DurableTaskStep experimental USE_WATCHING breaks secret masking
| Description |
Original:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. |
New:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. Sadly this settings gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50 |
| Description |
Original:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. Sadly this settings gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50 |
New:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. Sadly this setting gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50 |
| Description |
Original:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. Sadly this setting gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50 |
New:
When using {{org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING=true}} the sample will show the credentials instead of masking them.
Sample: {noformat} pipeline { agent { kubernetes { } } stages { stage('test') { steps { withVault( [ [ path: 'some/path', secretValues: [ [vaultKey: 'foo'], ] ] ] ) { sh 'echo $foo' } } } } } {noformat} Using kubernetes agent just for simplicity, but remote call is mandatory. When using controller node, masking is also done correctly. Sadly this setting gets enabled by a static code block in opentelemetry-plugin: https://github.com/jenkinsci/opentelemetry-plugin/blob/master/src/main/java/io/jenkins/plugins/opentelemetry/job/log/OtelLogStorageFactory.java#L50 |
| Component/s | Original: workflow-durable-task-step-plugin [ 21715 ] |
| Remote Link | New: This issue links to "CVE-2023-33001 (Web Link)" [ 28712 ] |
