-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins version 2.479.3
credentials-binding-plugin version 696.v256688029804 (and 687.689.v1a_f775332fc9)
After upgrading to the latest version of the credentials-binding-plugin (Version 696.v256688029804 as https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3499 suggests), the Eclipse Glassfish project has seen exploding console logs (up to 900 MB) due to MaskedExceptions being surrounded by countless asterisks ("*").
The issue was reported on the Eclipse Foundation's HelpDesk here: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/6436
After some testing, we found the reason and a minimal test case (https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/6436#note_4500053):
Steps to reproduce:
1. Clone the plugin repo (as of 2025-07-21)
git clone https://github.com/jenkinsci/credentials-binding-plugin.git
or download https://github.com/jenkinsci/credentials-binding-plugin/archive/refs/tags/687.689.v1a_f775332fc9.zip
2. Start dev environment with
mvn clean hpi:run
3. Install the Pipeline plugin from the update center with all its dependencies.
4. Create a Jenkins pipeline with the following code
pipeline {
agent any
options {
timeout(time: 1, unit: 'MINUTES')
}
environment {
FOOBAR = credentials('masked-credentials-test')
}
stages {
stage('Main') {
steps {
sh 'hostname'
//sleep for 2 minutes
sh 'sleep 120'
}
}
}
}
5. Create an empty secret text credential. This is the important pre-condition.
6. Run the pipeline
7. See an error similar to
Also: org.jenkinsci.plugins.credentialsbinding.impl.MaskedException: ***********************{*}e{*}**********************{*}0{*}**********************{*}8{*}**********************{*}d{*}**********************{*}d{*}**********************{*}a{*}**********************{*}d{*}**********************{*}4{*}**********************{*}--{*}**********************{*}8{*}**********************{*}7{*}**********************{*}8{*}**********************{*}d{*}**********************{*}{*}**********************{*}4{*}**********************{*}0{*}**********************{*}1{*}**********************{*}2{*}**********************{*}--{*}**********************{*}a{*}**********************{*}4{*}**********************{*}4{*}**********************{*}2{*}**********************{*}{*}**********************{*}3{*}**********************{*}d{*}**********************{*}e{*}**********************{*}0{*}**********************{*}f{*}**********************{*}c{*}**********************{*}0{*}**********************{*}f{*}**********************{*}e{*}**********************{*}a{*}**********************{*}d{*}**********************{*}0{*}***********************
Also: org.jenkinsci.plugins.credentialsbinding.impl.MaskedException: ***{*}f{*}**{*}f{*}**{*}e{*}**{*}f{*}**{*}4{*}**{*}8{*}**{*}1{*}**{*}0{*}**{*}--{*}**{*}2{*}**{*}4{*}**{*}0{*}**{*}e{*}**{*}{*}**{*}4{*}**{*}c{*}**{*}6{*}**{*}2{*}**{*}--{*}**{*}a{*}**{*}3{*}**{*}9{*}**{*}9{*}**{*}{*}**{*}f{*}**{*}a{*}**{*}0{*}**{*}8{*}**{*}e{*}**{*}5{*}**{*}0{*}**{*}e{*}**{*}7{*}**{*}6{*}**{*}1{*}**{*}8{*}***
Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: c6a882e6-5fb8-4e34-aa53-bd5eea0af2fe
org.jenkinsci.plugins.credentialsbinding.impl.MaskedException: ****************************************************************************************************************************
at PluginClassLoader for workflow-step-api//org.jenkinsci.plugins.workflow.steps.BodyExecution.cancel(BodyExecution.java:59)
at PluginClassLoader for workflow-basic-steps//org.jenkinsci.plugins.workflow.steps.TimeoutStepExecution.cancel(TimeoutStepExecution.java:197)
at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Finished: FAILURE
- I would consider this to be a regression, since the MaskedException class was introduced in https://github.com/jenkinsci/credentials-binding-plugin/commit/256688029804dec5005c5d20aebc9810833f6dbe and this particular issue only appeared in the latest release (version 696.v256688029804) and 687.689.v1a_f775332fc9 which received the security fix as a backport. It worked fine with version 687.v619cb_15e923f.
- The issue does not appear with a secret text credential that contains a single character. Only with an empty text credential.
- The plugin has/had other issues that are related to excessive asterisk-ing:
- https://issues.jenkins.io/browse/JENKINS-41760 (Resolved)
- https://issues.jenkins.io/browse/JENKINS-58540 (In Review)
- https://issues.jenkins.io/browse/JENKINS-72763 (Unresolved)
- https://issues.jenkins.io/browse/JENKINS-72412 (Resolved)
- there might be more...
Since someone might be suggesting the obvious workaround, "Just don't use an empty credential!": There is a historic reason why an empty credential was involved. While this is obviously an edge-case, the plugin should have checks that deal with this (and similar conditions) gracefully.
