[JIRA] [parameterized-remote-trigger-plugin] (JENKINS-31237) Parameterized Remote Trigger evaluates Credential password for tokens, prints password to log on error

7 views
Skip to first unread message

will.saxon@greenwayhealth.com (JIRA)

unread,
Oct 28, 2015, 1:17:14 PM10/28/15
to jenkinsc...@googlegroups.com
Will Saxon created an issue
 
Jenkins / Bug JENKINS-31237
Parameterized Remote Trigger evaluates Credential password for tokens, prints password to log on error
Issue Type: Bug Bug
Assignee: Maurice W.
Components: parameterized-remote-trigger-plugin
Created: 28/Oct/15 5:16 PM
Environment: Jenkins 1.625.1, Credentials 1.24, Parameterized Remote Trigger 2.2.2
Priority: Major Major
Reporter: Will Saxon

I tried to set up a Parameterized Remote Trigger host using a Credential containing a complex password. The 'test server' button worked OK, but when I tried to use this host in a job I received the following error:

ERROR: Unrecognized macro 'gqi' in 'svc_gmt_jenkins:password'

The password contained the string '$gqi'.

I don't think the password field should be scanned for tokens if the password provider is the Credentials plugin, or at least that should not be the default. I also don't think the password should be leaked to the console log on error, which is why I marked this bug as major.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

aaron.rodriguez8@gmail.com (JIRA)

unread,
Jul 31, 2019, 5:56:02 PM7/31/19
to jenkinsc...@googlegroups.com
Alex Rodriguez commented on Bug JENKINS-31237
 
Re: Parameterized Remote Trigger evaluates Credential password for tokens, prints password to log on error

I recently just changed my remote password to one that contains a $ character and am now seeing this issue consistently with the same behavior.

Here are my current core and plugin versions:

Jenkins core: 2.179

Credentials Plugin: 2.2.0

Parameterized Remote Trigger Plugin: 3.0.8

Not only does authentication not work when using complex passwords with special characters, but even worse it leaks the entire username and password to the console log, something that using the stored jenkins credentials should never do given the permission separation from administering credentials and simply viewing a log.

It's disconcerting to me that this bug was filed almost 4 years ago and not a single movement has happened on this defect. Am I possibly missing an unmarked duplicate issue here, or is this really the only mention of this deal breaking bug? 

Can anyone else perhaps take a look at this bug again?
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

dshvedchenko@gmail.com (JIRA)

unread,
Aug 9, 2019, 5:47:03 AM8/9/19
to jenkinsc...@googlegroups.com

dshvedchenko@gmail.com (JIRA)

unread,
Aug 9, 2019, 5:48:02 AM8/9/19
to jenkinsc...@googlegroups.com
Denis Shvedchenko edited a comment on Bug JENKINS-31237
[https://github.com/jenkinsci/parameterized-remote-trigger-plugin/blob/ 7b875a62c6d4892324a9d45e53ebbbe89a181a27 master /src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/utils/Base64Utils.java#L50]

patrick.f.housley@gmail.com (JIRA)

unread,
Jan 24, 2020, 6:24:03 PM1/24/20
to jenkinsc...@googlegroups.com

I re-opened and commented on JENKINS-58873 before seeing this issue. Is there someone working on this? Is this plugin dead? It's definitely a problem that the password does not work but it is most concerning that the password is exposed in clear text in the build log. This should be considered a vulnerability bug and fixed asap.
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages