[JIRA] (JENKINS-54538) Ability to save unmasked credentials to file

7 views
Skip to first unread message

tfijarczyk@gmail.com (JIRA)

unread,
Nov 8, 2018, 6:07:02 AM11/8/18
to jenkinsc...@googlegroups.com
Tomasz Fijarczyk created an issue
 
Jenkins / Bug JENKINS-54538
Ability to save unmasked credentials to file
Issue Type: Bug Bug
Assignee: Unassigned
Components: credentials-binding-plugin
Created: 2018-11-08 11:06
Environment: Jenkins 2.149 - Credential Binding 1.17
Priority: Major Major
Reporter: Tomasz Fijarczyk

It looks like saving password variable from withCredentials using writeFile doesn't mask the password. I consider this to be a security vulnerability.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

Kalle.Niemitalo@procomp.fi (JIRA)

unread,
Nov 27, 2019, 11:32:02 AM11/27/19
to jenkinsc...@googlegroups.com
Kalle Niemitalo commented on Bug JENKINS-54538
 
Re: Ability to save unmasked credentials to file

https://jenkins.io/doc/pipeline/steps/credentials-binding/ says this is by design: "The masking could of course be trivially circumvented; anyone permitted to configure a job or define Pipeline steps is assumed to be trusted to use any credentials in scope however they like."
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

tfijarczyk@gmail.com (JIRA)

unread,
Nov 27, 2019, 2:59:04 PM11/27/19
to jenkinsc...@googlegroups.com

Make sens, can't believe I missed the obvious

tfijarczyk@gmail.com (JIRA)

unread,
Nov 27, 2019, 3:00:02 PM11/27/19
to jenkinsc...@googlegroups.com
Tomasz Fijarczyk closed an issue as Not A Defect
 
Change By: Tomasz Fijarczyk
Status: Open Closed
Resolution: Not A Defect
Reply all
Reply to author
Forward
0 new messages