Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71509

ssh-steps plugin leaking credentials to log when using plugin gradle 2.7

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major

    Description

      After updating the gradle-plugin to version 2.8, we encountered an issue where credentials were leaked to the build log when using sshCommand from ssh-steps.

       

      Example Jenkinsfile to reproduce:

       

      def vaultSecrets = [
              [path: 'gradle-cred-leak', secretValues: [
                      [envVar: 'TEST_ID', vaultKey: 'TEST_ID'],
                      [envVar: 'TEST_KEY', vaultKey: 'TEST_KEY']]],
      def remote = [:]pipeline {
        agent {
          kubernetes {
            yamlFile '.ci/build-pod.yaml'
          }
        }
        options {
          buildDiscarder(logRotator(numToKeepStr: '7'))
          disableConcurrentBuilds()
          timeout(time: 10, unit: 'MINUTES')
          ansiColor('xterm')
        }
        stages {
          stage('Init') {
            steps {
              withVault(vaultSecrets: vaultSecrets) {
                script {
                  sh "useradd -p $(openssl passwd -1 testpw) test"
                  // preparation for ssh connection
                  remote.name = 'test'
                  remote.host = 'localhost'
                  remote.user = 'test'
                  remote.password = 'testpw'
                  remote.allowAnyHosts = true
                  // script to give env vars over ssh connection
                  testVars = """
          export TEST_ID=${TEST_ID}
          export TEST_KEY=${TEST_KEY}
          """
                }
              }
            }
          }
          stage('Create backup') {
            steps {
              withVault(vaultSecrets: vaultSecrets) {
                echo 'configuring Restic...'
                sshCommand remote: remote, command: testVars+'echo \\"initialised\\"'
              }
            }
          }
        }
      } 

       

      When run, this should simply export some environment variables on a remote machine. Before the command is executed, sshCommand will log the command to the build log:

      with gradle 2.8:

      ...
      [Pipeline] echo
      configuring Restic ...
      [Pipeline] sshCommand
      Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      Executing command on test[localhost]: 
          export TEST_ID=123
          export TEST_KEY=abc
          echo \"initialised\" sudo: false 
      ...

      with gradle 2.7:

      ...
      [Pipeline] echo
      configuring Restic ...
      [Pipeline] sshCommand
      Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      Executing command on test[localhost]: 
          export TEST_ID=****
          export TEST_KEY=****
          echo \"initialised\" sudo: false 
      ...

       

       

      Attachments

        Issue Links

          Activity

            People

              atual Alexis
              leon_schiesswald Leon Schiesswald
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: