Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27631

Do not even temporarily save secrets in Workflow build record

    XMLWordPrintable

Details

    Description

      Currently when you use withCredentials with e.g. UsernamePasswordMultiBinding, the secret is saved in program.dat for the duration of the block. It is later removed, but it would be safer if it were guaranteed to never be persisted at all. That seems to require an API change: either in EnvVars to allow a given variable to be directly marked as secret and thus to be persisted only via Secret, or by lifting up sensitiveBuildVariables from AbstractBuild to Run, or by allowing BodyInvoker.withContext to provide something like an environment variable factory rather than a raw EnvVars.

      Attachments

        Issue Links

          Activity

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9
            Log:
            JENKINS-27631 But demonstrating that it is stored temporarily.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/16c180f4add799acc8d5f58b73e63dc285380ed9 Log: JENKINS-27631 But demonstrating that it is stored temporarily.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3
            Log:
            Merge pull request #5 from jglick/stronger-tests

            JENKINS-27631 Stronger tests

            Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/40af344b6444edac754d8da7eda0ac238190f6f3 Log: Merge pull request #5 from jglick/stronger-tests JENKINS-27631 Stronger tests Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/0baec040aa1b...40af344b6444

            Code changed in jenkins
            User: Jesse Glick
            Path:
            support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java
            http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f
            Log:
            Merge pull request #106 from jglick/SecretPickle-JENKINS-27631

            JENKINS-27631 Added SecretPickle

            Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/SecretPickle.java http://jenkins-ci.org/commit/workflow-plugin/d60edde46f201facea46cc4029ee2b80b73d6a0f Log: Merge pull request #106 from jglick/SecretPickle- JENKINS-27631 JENKINS-27631 Added SecretPickle Compare: https://github.com/jenkinsci/workflow-plugin/compare/42805fed800b...d60edde46f20

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8
            Log:
            [FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/6731df355d94236015616ce9fd072dd80834a2e8 Log: [FIXED JENKINS-27631] Store variables as Secret so they do not appear in program.dat.

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: