Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72035

Secrets masking affects encoded console notes

      Discovered during the addition of base64 masking, a test (see config-file-provider/PR-296) from the config-file-provider-plugin suddenly started to fail with the following error.

      java.io.IOException: Illegal base64 character 0x2a
      	at java.base/java.util.Base64$DecInputStream.read(Base64.java:1160)
      	at java.base/java.io.DataInputStream.read(DataInputStream.java:151)
      	at java.base/java.io.DataInputStream.readFully(DataInputStream.java:201)
      	at hudson.util.IOUtils.skip(IOUtils.java:90)
      	at hudson.console.ConsoleNote.skip(ConsoleNote.java:311)
      	at hudson.console.PlainTextConsoleOutputStream.eol(PlainTextConsoleOutputStream.java:67)
      	at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
      	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
      	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
      	at org.apache.commons.io.output.ProxyOutputStream.write(ProxyOutputStream.java:92)
      	at org.kohsuke.stapler.framework.io.LargeText.writeLogTo(LargeText.java:233)
      	at hudson.console.AnnotatedLargeText.writeLogTo(AnnotatedLargeText.java:164)
      	at org.jvnet.hudson.test.JenkinsRule.getLog(JenkinsRule.java:1536)
      	at org.jvnet.hudson.test.JenkinsRule.assertLogNotContains(JenkinsRule.java:1525)
      	at org.jenkinsci.plugins.configfiles.maven.MavenSettingsConfigTest.freestyleWithCredentials(MavenSettingsConfigTest.java:157)
      

      The root cause has been identified, it was coincidental masking (corresponding to the base64 format of a short credential) of a snippet of a serialized ConsoleNote that was unrelated to any secrets in scope.

      Also, it has been confirmed that this is not only happening with base64 masking, but that any secret masking could result in this behavior.

      Note: Corrupted ConsoleNote are now prevented from breaking log streaming by https://github.com/jenkinsci/jenkins/pull/8378

          [JENKINS-72035] Secrets masking affects encoded console notes

          Kevin Guerroudj created issue -
          Kevin Guerroudj made changes -
          Description Original: Discovered during the addition of base64 masking, a test (see [config-file-provider/PR-296|https://github.com/jenkinsci/config-file-provider-plugin/pull/296]) from the config-file-provider-plugin suddenly started to fail with the following error.
          {noformat}
          java.io.IOException: Illegal base64 character 0x2a
          at java.base/java.util.Base64$DecInputStream.read(Base64.java:1160)
          at java.base/java.io.DataInputStream.read(DataInputStream.java:151)
          at java.base/java.io.DataInputStream.readFully(DataInputStream.java:201)
          at hudson.util.IOUtils.skip(IOUtils.java:90)
          at hudson.console.ConsoleNote.skip(ConsoleNote.java:311)
          at hudson.console.PlainTextConsoleOutputStream.eol(PlainTextConsoleOutputStream.java:67)
          at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
          at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
          at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
          at org.apache.commons.io.output.ProxyOutputStream.write(ProxyOutputStream.java:92)
          at org.kohsuke.stapler.framework.io.LargeText.writeLogTo(LargeText.java:233)
          at hudson.console.AnnotatedLargeText.writeLogTo(AnnotatedLargeText.java:164)
          at org.jvnet.hudson.test.JenkinsRule.getLog(JenkinsRule.java:1536)
          at org.jvnet.hudson.test.JenkinsRule.assertLogNotContains(JenkinsRule.java:1525)
          at org.jenkinsci.plugins.configfiles.maven.MavenSettingsConfigTest.freestyleWithCredentials(MavenSettingsConfigTest.java:157)
          {noformat}

          The root cause has been identified, it was coincidental masking (corresponding to the base64 format of a short credential) of a snippet of a serialized ConsoleNote that was unrelated to any secrets in scope.

          Also, it has been confirmed that this is not only happening with base64 masking, but that any secret masking could result in this behavior.

          Note: Corrupted ConsoleNote are prevented from breaking log streaming by [https://github.com/jenkinsci/jenkins/pull/8378]
          New: Discovered during the addition of base64 masking, a test (see [config-file-provider/PR-296|https://github.com/jenkinsci/config-file-provider-plugin/pull/296]) from the config-file-provider-plugin suddenly started to fail with the following error.
          {noformat}
          java.io.IOException: Illegal base64 character 0x2a
          at java.base/java.util.Base64$DecInputStream.read(Base64.java:1160)
          at java.base/java.io.DataInputStream.read(DataInputStream.java:151)
          at java.base/java.io.DataInputStream.readFully(DataInputStream.java:201)
          at hudson.util.IOUtils.skip(IOUtils.java:90)
          at hudson.console.ConsoleNote.skip(ConsoleNote.java:311)
          at hudson.console.PlainTextConsoleOutputStream.eol(PlainTextConsoleOutputStream.java:67)
          at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
          at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
          at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
          at org.apache.commons.io.output.ProxyOutputStream.write(ProxyOutputStream.java:92)
          at org.kohsuke.stapler.framework.io.LargeText.writeLogTo(LargeText.java:233)
          at hudson.console.AnnotatedLargeText.writeLogTo(AnnotatedLargeText.java:164)
          at org.jvnet.hudson.test.JenkinsRule.getLog(JenkinsRule.java:1536)
          at org.jvnet.hudson.test.JenkinsRule.assertLogNotContains(JenkinsRule.java:1525)
          at org.jenkinsci.plugins.configfiles.maven.MavenSettingsConfigTest.freestyleWithCredentials(MavenSettingsConfigTest.java:157)
          {noformat}
          The root cause has been identified, it was coincidental masking (corresponding to the base64 format of a short credential) of a snippet of a serialized ConsoleNote that was unrelated to any secrets in scope.

          Also, it has been confirmed that this is not only happening with base64 masking, but that any secret masking could result in this behavior.

          Note: Corrupted ConsoleNote are now prevented from breaking log streaming by [https://github.com/jenkinsci/jenkins/pull/8378]
          Daniel Beck made changes -
          Summary Original: Masking encoded console notes New: Secrets masking affects encoded console notes
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-61452 [ JENKINS-61452 ]

            Unassigned Unassigned
            kevingrdj Kevin Guerroudj
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: