Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20002

Build Environment plugin will display paramaterized build paramter of type "password" values

    XMLWordPrintable

Details

    Description

      We had do disable the Build Environment plugin: https://wiki.jenkins-ci.org/display/JENKINS/Build+Environment+Plugin

      We have a parametrized build, one of the parameters is a 'password' type. Jenkins makes other efforts to not show the password in the log. However this plugin shows it plain as day when you click "Environment Variables"

      If this is considered a valid issue, and it is fixed, We would like to know so we can re-enable the plug in

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix.

            I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables.

            jglick Jesse Glick added a comment - Moving out of the SECURITY project since there is no real vulnerability here, at least once you know about the issue, so there is no purpose in concealing progress prior to the fix. I think this plugin should be checking AbstractBuild.getSensitiveBuildVariables .
            jglick Jesse Glick added a comment -

            Recently filed JENKINS-19830 is similar.

            jglick Jesse Glick added a comment - Recently filed JENKINS-19830 is similar.
            boev Yordan Boev added a comment -

            The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.

            boev Yordan Boev added a comment - The plugin does not display variables containing: "PASS" "KEY" "SECRET" "ENCRYPTED". I will look into it and change it so that it uses AbstractBuild.getSensitiveBuildVariables.
            boev Yordan Boev added a comment - - edited

            Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.

            boev Yordan Boev added a comment - - edited Now the plugin searches and masks all variables marked as sensitive, so that they are not visible in the tables. They are also not visible in the code, meaning the real value cannot be retrieved programatically.

            People

              boev Yordan Boev
              alwaystraining Derrick Karimi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: