-
Bug
-
Resolution: Unresolved
-
Major
-
None
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present }
The impact of this is that withCredentials blocks don't behave as expected with calls like httpRequest as the variables can't be passed in single quoted, which is a security risk.
For example this does not expand $ENV_KEY in the httpRequest case but does when sh is used
withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Incorrectly output literal ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Correctly outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }
[JENKINS-72184] withEnv and withCredentials don't set environment fully
Steven
created issue -
Steven
made changes -
| Description |
Original:
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
{code:groovy} withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present } {code} The impact of this is that {{withCredentials}} blocks don't behave as expected with calls like {{httpRequest}} as the variables can't be passed in single quoted, which is a security risk. For example this does not expand {{$ENV_KEY}} {code:groovy} withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs $ENC_KEY def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }{code} |
New:
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
{code:groovy} withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present } {code} The impact of this is that {{withCredentials}} blocks don't behave as expected with calls like {{httpRequest}} as the variables can't be passed in single quoted, which is a security risk. For example this does not expand {{$ENV_KEY}} in the {{httpRequest}} case but does when {{sh}} is used {code:groovy} withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs $ENC_KEY def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }{code} |
Steven
made changes -
| Description |
Original:
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
{code:groovy} withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present } {code} The impact of this is that {{withCredentials}} blocks don't behave as expected with calls like {{httpRequest}} as the variables can't be passed in single quoted, which is a security risk. For example this does not expand {{$ENV_KEY}} in the {{httpRequest}} case but does when {{sh}} is used {code:groovy} withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs $ENC_KEY def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }{code} |
New:
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
{code:groovy} withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present } {code} The impact of this is that {{withCredentials}} blocks don't behave as expected with calls like {{httpRequest}} as the variables can't be passed in single quoted, which is a security risk. For example this does not expand {{$ENV_KEY}} in the {{httpRequest}} case but does when {{sh}} is used {code:groovy} withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Incorrectly output literal ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Correctly outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }{code} |