Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38181

withCredentials variables that are extracted are not masked outside of block


      A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.

      The password for testCredentials would be echo to the console without it being masked.

      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         echo '${password}' // password is masked
      echo ${password}' // password is not masked

      Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following

      def nicePasswordBro;
      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
         nicePasswordBro = '${password}'
         echo '${password}' // password is masked
      echo nicePasswordBro // password is not masked

      Original request

      Example pipeline code:

      node {
        def usernameLocal, passwordLocal
        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
          echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
          sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
          usernameLocal = env.USERNAME
          passwordLocal = env.PASSWORD
          echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
        echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"


      [Pipeline] node
      Running on master in /var/jenkins_home/workspace/with-credentials
      [Pipeline] {
      [Pipeline] withCredentials
      [Pipeline] {
      [Pipeline] echo
      echo step - env: **** - password through ****
      [Pipeline] sh
      [with-credentials] Running shell script
      + echo sh step - echo: **** - ****
      sh step - echo: **** - ****
      [Pipeline] echo
      echo step (in block) - vars: **** - ****
      [Pipeline] }
      [Pipeline] // withCredentials
      [Pipeline] echo
      echo step (out of block) - vars: myusername - mypassword
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      Finished: SUCCESS


      I expect that the credentials would still be accessible but would still be masked.

            olamy Olivier Lamy
            mkobit Mike Kobit
            2 Vote for this issue
            9 Start watching this issue