The masking of secrets of one char length mangles the output.

      With this credential (Secret = 'a'):

      the following job produces magled output

      #!/usr/bin/env groovy
      pipeline {
          agent any
          stages {
              stage('Check run') {
                  steps {
                      withCredentials([string(credentialsId: 'test-credentials-binding-plugin-masking-secret-text',
                              variable: 'VAR')]) {
                          sh '''
                              echo "VAR.length = ${#VAR}" 
                              echo "This should be masked: VAR = $VAR"
                          '''
                      }
                  }
              }
          }
      } 

      we obtain the following output in the console:

      [Pipeline] withEnv
      [Pipeline] {
      [Pipeline] stage
      [Pipeline] { (Check run)
      [Pipeline] withCredentials
      Masking supported pattern matches of $VAR
      [Pipeline] {
      [Pipeline] sh
      ****+**** ****e****c****h****o**** ****'****V****A****R****.****l****e****n****g****t****h**** ****=**** ****1****'****
      ********V****A****R****.****l****e****n****g****t****h**** ****=**** ****1****
      ********+**** ****e****c****h****o**** ****'****T****h****i****s**** ****s****h****o****u****l****d**** ****b****e**** ****m********s****k****e****d****:**** ****V****A****R**** ****=**** ********'****
      ********T****h****i****s**** ****s****h****o****u****l****d**** ****b****e**** ****m********s****k****e****d****:**** ****V****A****R**** ****=**** ********
      ****[Pipeline] }
      [Pipeline] // withCredentials 

          [JENKINS-72412] Masking of one character secrets mangle output

          I've assigned a 'High' priority to this issue due to a significant problem encountered during the binding of credentials from a GitHub App. Currently, the app's ID, which happens to be "5", is being erroneously masked. This makes imposible to read the output of a complex step, particularly in scenarios like executing a Gradle build.

          Alberto Gallardo added a comment - I've assigned a 'High' priority to this issue due to a significant problem encountered during the binding of credentials from a GitHub App. Currently, the app's ID, which happens to be "5", is being erroneously masked. This makes imposible to read the output of a complex step, particularly in scenarios like executing a Gradle build.

          I have opened PR https://github.com/jenkinsci/credentials-binding-plugin/pull/284 as possible fix for this bug.

          Alberto Gallardo added a comment - I have opened PR https://github.com/jenkinsci/credentials-binding-plugin/pull/284 as possible fix for this bug.

          Mark Waite added a comment -

          I'm not sure why we would adapt the credentials binding plugin to a one character password. A one character password has a very small search space for a brute force search. The mere knowledge that the password is one character seems like a reason to highlight why a one character secret should be disallowed from all masking. Can you explain further why any masking should be applied to a one character secret?

          Mark Waite added a comment - I'm not sure why we would adapt the credentials binding plugin to a one character password. A one character password has a very small search space for a brute force search. The mere knowledge that the password is one character seems like a reason to highlight why a one character secret should be disallowed from all masking. Can you explain further why any masking should be applied to a one character secret?

          Jesse Glick added a comment -

          the app's ID, which happens to be "5", is being erroneously masked

          The App’s id should not be treated as a secret at all.

          Jesse Glick added a comment - the app's ID, which happens to be "5", is being erroneously masked The App’s id should not be treated as a secret at all.

          Alberto Gallardo added a comment - See also https://issues.jenkins.io/browse/JENKINS-66675

            jglick Jesse Glick
            agallardo Alberto Gallardo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: