[JIRA] (JENKINS-52919) Client secret not masked in build log when using withCredentials([azureServicePrincipal(id)])

3 views
Skip to first unread message

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 7, 2018, 10:56:02 AM8/7/18
to jenkinsc...@googlegroups.com
David Sanftenberg created an issue
 
Jenkins / Bug JENKINS-52919
Client secret not masked in build log when using withCredentials([azureServicePrincipal(id)])
Issue Type: Bug Bug
Assignee: Azure DevOps
Attachments: image-2018-08-07-15-55-26-823.png
Components: azure-credentials-plugin
Created: 2018-08-07 14:55
Environment: Jenkins 2.121.2 running in Docker (LTS image)
Priority: Critical Critical
Reporter: David Sanftenberg

The Client Secret is not being masked in the build output when used in a shell command.

The following pipeline script will reproduce it:

pipeline {
  
  options {
    disableConcurrentBuilds()
    timeout(time: 30, unit: 'MINUTES')
  }

  agent { label 'linux' }

  stages {
    stage('Log into Azure') {            
      steps {
        script {
          withCredentials([azureServicePrincipal('idOfServicePrincipalCred')]) { 
          docker.image('microsoft/azure-cli:latest').inside('--user root') {
            sh """
              az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID
            """
          }}
        }
      }
    }
  }
}
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 7, 2018, 10:58:01 AM8/7/18
to jenkinsc...@googlegroups.com
David Sanftenberg updated an issue
Change By: David Sanftenberg
Environment: Azure Credentials 1.6.0
Jenkins 2.121.2 running in Docker (LTS image)

jieshe@microsoft.com (JIRA)

unread,
Aug 7, 2018, 10:12:03 PM8/7/18
to jenkinsc...@googlegroups.com
Jie Shen assigned an issue to Jie Shen
Change By: Jie Shen
Assignee: Azure DevOps Jie Shen

jieshe@microsoft.com (JIRA)

unread,
Aug 9, 2018, 2:06:02 AM8/9/18
to jenkinsc...@googlegroups.com
Jie Shen updated an issue
Change By: Jie Shen
Attachment: credentials.png

jieshe@microsoft.com (JIRA)

unread,
Aug 9, 2018, 2:12:01 AM8/9/18
to jenkinsc...@googlegroups.com
Jie Shen commented on Bug JENKINS-52919
 
Re: Client secret not masked in build log when using withCredentials([azureServicePrincipal(id)])

Hi  David Sanftenberg

I cannot reproduce your problem when I use your pipeline script.

I use below command to create Jenkins in Docker:

 

 docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2

And my agent is created by azure vm agent plugin using built-in ubuntu image, bu my result shows it works well as below. Did I miss anything?

 

 

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 4:45:01 AM8/9/18
to jenkinsc...@googlegroups.com

I can reproduce it with the secret value of ZbW9hAxYrKbho3i5DedHcfzBR2K1bSJplRDUrO9qjSI=

Does that help?

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 4:47:02 AM8/9/18
to jenkinsc...@googlegroups.com
David Sanftenberg edited a comment on Bug JENKINS-52919
I can reproduce it with the secret value of ZbW9hAxYrKbho3i5DedHcfzBR2K1bSJplRDUrO9qjSI=

Does that help?


 

I am running it on Ubuntu-16.04-LTS:latest Azure image, with OpenJDK8 installed, and spawned by the Azure VM Agents plugin.

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 4:47:02 AM8/9/18
to jenkinsc...@googlegroups.com

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 4:48:01 AM8/9/18
to jenkinsc...@googlegroups.com
David Sanftenberg edited a comment on Bug JENKINS-52919
I can reproduce it with the secret value of ZbW9hAxYrKbho3i5DedHcfzBR2K1bSJplRDUrO9qjSI=

Does that help?

I am running it on Ubuntu-16.04-LTS:latest Azure image, with OpenJDK8 OpenJDK package installed, and spawned by the Azure VM Agents plugin.

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 5:21:01 AM8/9/18
to jenkinsc...@googlegroups.com
David Sanftenberg edited a comment on Bug JENKINS-52919
I can reproduce it with the secret value of ZbW9hAxYrKbho3i5DedHcfzBR2K1bSJplRDUrO9qjSI=

Does that help?

I am running it on Ubuntu-16.04-LTS:latest Azure image, with OpenJDK package installed, and spawned by the Azure VM Agents plugin.

Can send an entire list of plugins I have installed but it's a tad lengthy.

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 5:22:03 AM8/9/18
to jenkinsc...@googlegroups.com
David Sanftenberg edited a comment on Bug JENKINS-52919
I can reproduce it with the secret value of ZbW9hAxYrKbho3i5DedHcfzBR2K1bSJplRDUrO9qjSI=

Does that help?
The worker VM I am running it on is using the Ubuntu-16.04-LTS:latest Azure image, with OpenJDK package installed, and spawned by the Azure VM Agents plugin.


Can send an entire list of plugins I have installed but it's a tad lengthy.

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 5:30:02 AM8/9/18
to jenkinsc...@googlegroups.com

I think it was the secret value. I cycled it to a new secret and just reran the script, and it is masked successfully. There's something about that value.

d.sanftenberg@cardano.com (JIRA)

unread,
Aug 9, 2018, 5:30:02 AM8/9/18
to jenkinsc...@googlegroups.com
David Sanftenberg edited a comment on Bug JENKINS-52919
I think it was the secret value. I cycled it to a new secret and just reran the script, and it is masked successfully. There's something about that value . I think?

vscjenkins@microsoft.com (JIRA)

unread,
Aug 9, 2018, 11:37:02 PM8/9/18
to jenkinsc...@googlegroups.com
Azure DevOps started work on Bug JENKINS-52919
 
Change By: Azure DevOps
Status: Open In Progress

jieshe@microsoft.com (JIRA)

unread,
Aug 15, 2018, 1:32:02 AM8/15/18
to jenkinsc...@googlegroups.com
Jie Shen commented on Bug JENKINS-52919

I have used the secret you provided above and some other secrets to test. But I still cannot reproduce the bug.

I agree this is something about the value, and if so, this may be a bug of Credentials Binding Plugin which this plugin depends on.

jieshe@microsoft.com (JIRA)

unread,
May 8, 2019, 11:12:01 PM5/8/19
to jenkinsc...@googlegroups.com
Jie Shen resolved as Cannot Reproduce
 
Change By: Jie Shen
Status: In Progress Resolved
Resolution: Cannot Reproduce
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
Reply all
Reply to author
Forward
0 new messages