-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Aplies for all versions so for and other OS's.
System info:
Tomcat 5.5
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.version 50.0
java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
java.naming.factory.url.pkgs org.apache.naming
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.6.0_16-b01
java.specification.name Java Platform API Specification
java.specification.vendor Sun Microsystems Inc.
java.specification.version 1.6
java.util.logging.manager org.apache.juli.ClassLoaderLogManager
java.vendor Sun Microsystems Inc.
java.vendor.url http://java.sun.com/
java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
java.version 1.6.0_16
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Sun Microsystems Inc.
java.vm.specification.version 1.0
java.vm.vendor Sun Microsystems Inc.
java.vm.version 14.2-b01
line.separator
os.arch amd64
os.name Linux
os.version 2.6.28-11-server
sun.arch.data.model 64
sun.cpu.endian little
sun.cpu.isalist
sun.io.unicode.encoding UnicodeLittle
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Server Compiler
sun.os.patch.level unknown
svnkit.ssh2.persistent false
tomcat.util.buf.StringCache.byte.enabled true
user.country US
user.language en
user.name hudson
user.timezone Europe/Amsterdam
Aplies for all versions so for and other OS's. System info: Tomcat 5.5 file.encoding UTF-8 file.encoding.pkg sun.io file.separator / java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.version 50.0 java.naming.factory.initial org.apache.naming.java.javaURLContextFactory java.naming.factory.url.pkgs org.apache.naming java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.6.0_16-b01 java.specification.name Java Platform API Specification java.specification.vendor Sun Microsystems Inc. java.specification.version 1.6 java.util.logging.manager org.apache.juli.ClassLoaderLogManager java.vendor Sun Microsystems Inc. java.vendor.url http://java.sun.com/ java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi java.version 1.6.0_16 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Sun Microsystems Inc. java.vm.specification.version 1.0 java.vm.vendor Sun Microsystems Inc. java.vm.version 14.2-b01 line.separator os.arch amd64 os.name Linux os.version 2.6.28-11-server sun.arch.data.model 64 sun.cpu.endian little sun.cpu.isalist sun.io.unicode.encoding UnicodeLittle sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Server Compiler sun.os.patch.level unknown svnkit.ssh2.persistent false tomcat.util.buf.StringCache.byte.enabled true user.country US user.language en user.name hudson user.timezone Europe/Amsterdam
When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.
So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform
It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.
A workaround could be to mask these credentials in the 'Goals and options' fields.
- duplicates
-
-
- Closed
-
[JENKINS-8524] maven release build exposes users' username and password
whermeling
added a comment - I disagree. If i perform a release using the m2 release plugin and fill in a username and password (and the UI masks the password as it should), then i do not expect to have the password show up (and certainly not in plain text) when somebody looks at the job configuration by coïncident.
Creating a different job is a bad solution because:
A) this would require an additional job for every build plan in our Hudson instance and
B) everybody is able to perform release in our organization, but they should do so by supplying their own username and password (which in our case are single sign credentials for a lot of systems).
The fact the somebody could get this information via different ways is a bad argument IMO. We run release jobs without help:system and people running the job can check which goals are executed in advance (they are all able to view the job configuration).
PS: It would be a nice addition if the configured release goals would be displayed in the screen where you can perform the maven release.
whermeling
added a comment - I disagree. If i perform a release using the m2 release plugin and fill in a username and password (and the UI masks the password as it should), then i do not expect to have the password show up (and certainly not in plain text) when somebody looks at the job configuration by coïncident.
Creating a different job is a bad solution because:
A) this would require an additional job for every build plan in our Hudson instance and
B) everybody is able to perform release in our organization, but they should do so by supplying their own username and password (which in our case are single sign credentials for a lot of systems).
The fact the somebody could get this information via different ways is a bad argument IMO. We run release jobs without help:system and people running the job can check which goals are executed in advance (they are all able to view the job configuration).
PS: It would be a nice addition if the configured release goals would be displayed in the screen where you can perform the maven release.
pmdubik
added a comment - I agree with teilo, the password appears with ****** when you input it in the release Task then it is in clear in the build > Goals and options.
So unless you configure Rights on specific builds anyone can use your SVN /CVS account.
pmdubik
added a comment - I agree with teilo, the password appears with ****** when you input it in the release Task then it is in clear in the build > Goals and options.
So unless you configure Rights on specific builds anyone can use your SVN /CVS account. does this arguementation mean this will not be fixed?
IMO this makes the plugin absolutly unusable in a larger organisation where multiple people have to be able run the same release job. Just becase there was a failing job, does not mean tha showing the credentials is an acceptable behavior. e.g. if I triggered the release build and it fails, I don't want my colleagues to see my global SCM password- even if they are nice guys 
so I think this should be mnarked as a "Blocker" issue and not just a "Major".
The argument doesn't say it won't get fixed but thst it is not my to purport.
it's also not a blocker for the plugin as you can use the plugin without this option with two major scm systems (svn + git).
The fact that the goals are not rest i5 the build fails is a different issue that will be addressed first.
Cris
added a comment - This is a blocker to us: practically a password exposure vulnerability... Code changed in jenkins
User: imod
Path:
src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseArgumentInterceptorAction.java
src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper.java
http://jenkins-ci.org/commit/m2release-plugin/944906c5de59683d903d7de28a93b2182be21e8b
Log:
fix JENKINS-8524 - expose username and password
regardless of how this is done, if you can configure the job and perform releases you can get this information.
Just change the release goals to run a mojo that dumps the system variables - such as help:system and then perform a release.
If this is important to you I would suggest you have a different job that only performs release builds and normal users have no access to it.