Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71509

ssh-steps plugin leaking credentials to log when using plugin gradle 2.7

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major

      After updating the gradle-plugin to version 2.8, we encountered an issue where credentials were leaked to the build log when using sshCommand from ssh-steps.

       

      Example Jenkinsfile to reproduce:

       

      def vaultSecrets = [
              [path: 'gradle-cred-leak', secretValues: [
                      [envVar: 'TEST_ID', vaultKey: 'TEST_ID'],
                      [envVar: 'TEST_KEY', vaultKey: 'TEST_KEY']]],
      def remote = [:]pipeline {
        agent {
          kubernetes {
            yamlFile '.ci/build-pod.yaml'
          }
        }
        options {
          buildDiscarder(logRotator(numToKeepStr: '7'))
          disableConcurrentBuilds()
          timeout(time: 10, unit: 'MINUTES')
          ansiColor('xterm')
        }
        stages {
          stage('Init') {
            steps {
              withVault(vaultSecrets: vaultSecrets) {
                script {
                  sh "useradd -p $(openssl passwd -1 testpw) test"
                  // preparation for ssh connection
                  remote.name = 'test'
                  remote.host = 'localhost'
                  remote.user = 'test'
                  remote.password = 'testpw'
                  remote.allowAnyHosts = true
                  // script to give env vars over ssh connection
                  testVars = """
          export TEST_ID=${TEST_ID}
          export TEST_KEY=${TEST_KEY}
          """
                }
              }
            }
          }
          stage('Create backup') {
            steps {
              withVault(vaultSecrets: vaultSecrets) {
                echo 'configuring Restic...'
                sshCommand remote: remote, command: testVars+'echo \\"initialised\\"'
              }
            }
          }
        }
      } 

       

      When run, this should simply export some environment variables on a remote machine. Before the command is executed, sshCommand will log the command to the build log:

      with gradle 2.8:

      ...
      [Pipeline] echo
      configuring Restic ...
      [Pipeline] sshCommand
      Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      Executing command on test[localhost]: 
          export TEST_ID=123
          export TEST_KEY=abc
          echo \"initialised\" sudo: false 
      ...

      with gradle 2.7:

      ...
      [Pipeline] echo
      configuring Restic ...
      [Pipeline] sshCommand
      Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure.
      		 Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY]
      		 See https://jenkins.io/redirect/groovy-string-interpolation for details.
      Executing command on test[localhost]: 
          export TEST_ID=****
          export TEST_KEY=****
          echo \"initialised\" sudo: false 
      ...

       

       

          [JENKINS-71509] ssh-steps plugin leaking credentials to log when using plugin gradle 2.7

          Alexis added a comment -

          Looking quickly at it, it seems more related to the Vault plugin that masks the credentials. It might not play well with a log processor https://github.com/jenkinsci/gradle-plugin/compare/gradle-2.7...gradle-2.8#diff-891079261928e2d9288d5f36ea1fcb70178ea5491762c25be99bcd3c6a6af32dR45 introduced in 2.8.

          But it's only enabled on certain conditions: just to confirm this hypothesis, do you have Gradle Enterprise injection enabled (https://github.com/jenkinsci/gradle-plugin#enable-auto-injection) as well as the "Check for the Gradle Enterprise build agent errors" checkbox checked ? If so can you uncheck "Check for the Gradle Enterprise build agent errors" and try again ?

          Alexis added a comment - Looking quickly at it, it seems more related to the Vault plugin that masks the credentials. It might not play well with a log processor https://github.com/jenkinsci/gradle-plugin/compare/gradle-2.7...gradle-2.8#diff-891079261928e2d9288d5f36ea1fcb70178ea5491762c25be99bcd3c6a6af32dR45 introduced in 2.8. But it's only enabled on certain conditions: just to confirm this hypothesis, do you have Gradle Enterprise injection enabled ( https://github.com/jenkinsci/gradle-plugin#enable-auto-injection) as well as the "Check for the Gradle Enterprise build agent errors" checkbox checked ? If so can you uncheck "Check for the Gradle Enterprise build agent errors" and try again ?

          Alexis added a comment - - edited

          leon_schiesswald I finally managed to reproduce it (with both the credentials plugin and vault plugin) by installing the OpenTelemetry plugin:

          • Gradle 2.7 + OpenTelemetry => masked
          • Gradle 2.8 + OpenTelemetry => not masked
          • Gradle 2.8 => masked

          We're working on a different implementation that won't cause this unmasking

          Alexis added a comment - - edited leon_schiesswald I finally managed to reproduce it (with both the credentials plugin and vault plugin) by installing the OpenTelemetry plugin: Gradle 2.7 + OpenTelemetry => masked Gradle 2.8 + OpenTelemetry => not masked Gradle 2.8 => masked We're working on a different implementation that won't cause this unmasking

            atual Alexis
            leon_schiesswald Leon Schiesswald
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: