sqlplus-script-runner help - MS Windows issue

[Fernando Boaglio]

Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript

Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly

Windows: doesn't work, I get invalid user/password , some users can't use it

Example:

C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql

ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:

echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:

 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS

I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

[Daniel Beck]

I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.

--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 

[Fernando Boaglio]

Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:

CMD:

I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.

You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.

--

Fernando Boaglio
boa...@gmail.com | www.boaglio.com

[Fernando Boaglio]

Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

[Gavin Mogan]

Are you using credentials system? Free style or pipeline? Afaik credentials should be masked in your build output. At least in pipeline when you use credentials() or withCredentials. I'm not sure how it gets triggered in freestyle.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com.

[Fernando Boaglio]

Yes, I am using credentials system, to get password I use credentials.getPassword().getPlainText() and it is not masked =/

[James Nord]

are you using the ArgumentListBuilder and addMasked

https://javadoc.jenkins-ci.org/hudson/util/ArgumentListBuilder.html#addMasked-java.lang.String-

as per https://javadoc.jenkins-ci.org/hudson/Launcher.html#launch--

if not you need to tell Jenkins that the nth argument should be masked (but you would be better off with the builder)

[Fernando Boaglio]

Thank you James, addMasked did it !   \o/

Fixed windows issue and passwords hidden at release 2.0.14 =)

Thank you guys.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e3ddad39-5c04-4786-8064-97a2829ab619n%40googlegroups.com.