[JIRA] (JENKINS-53126) Secrets sent in clear text to logstash as data.buildVariables

80 views
Skip to first unread message

marcus.a.philip@gmail.com (JIRA)

unread,
Aug 20, 2018, 4:52:02 AM8/20/18
to jenkinsc...@googlegroups.com
Marcus Philip created an issue
 
Jenkins / Bug JENKINS-53126
Secrets sent in clear text to logstash as data.buildVariables
Issue Type: Bug Bug
Assignee: Jakub Bochenski
Attachments: Screen Shot 2018-08-20 at 10.42.14.png
Components: logstash-plugin
Created: 2018-08-20 08:51
Environment: Jenkins ver. 2.89.4
logstash-plugin 2.1.0
Labels: Security
Priority: Critical Critical
Reporter: Marcus Philip

Password parameter types are sent in clear text to Logstash together with the other build variables (data.buildVariables.) when using Logstash wrapper in pipeline. 

I don't know if this ever worked for pipeline.

I do know that we have a working password masking in the Jenkins build log using MaskPasswordsBuildWrapper.

Problem is very easy to reproduce. Here is a minimal (scripted) parametrized pipeline that shows the problem. It has a "Password Parameter" (hudson.model.PasswordParameterDefinition) named SECRET defined in job.

node('java8') {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
        logstash {
            echo "SECRET NOT masked in message: ${SECRET}"
        }
    }
    
    logstash {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
            echo "SECRET masked in message: ${SECRET}"
        }
    }
}

It seems that the message is masked, given that you put the MaskPasswordsBuildWrapper inside the logstash wrapper, but this does change the fact that the secret is in data.buildVariables.SECRET in Logstash.

Same for declarative pipeline

Pipeline config

pipeline {
    agent { label 'java8' }
    parameters {
        string(name: 'NOT_SECRET', defaultValue: 'Not secret!')
        password(name: 'SECRET', defaultValue: '')
    }
    stages {
        stage('Log') {
            steps {
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                    logstash {
                        echo "Secret masked in log but NOT in message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
    
                logstash {
                    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                        echo "Secret masked in log AND message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
            }
        }
    }
}

Jenkins build logs

[Pipeline] node
Running on std-platform-jenkins-agent-03.nix.cydmodule.com in /var/opt/jenkins-slave/workspace/Experiments/test-logstash-password-masking
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Log)
[Pipeline] wrap
[Pipeline] {
[Pipeline] logstash
[Pipeline] {
[Pipeline] echo
Secret masked in log but NOT in message: '********' , Not Secret: 'Not secret!'
[Pipeline] }
[Pipeline] // logstash
[Pipeline] }
[Pipeline] // wrap
[Pipeline] logstash
[Pipeline] {
[Pipeline] wrap
[Pipeline] {
[Pipeline] echo
Secret masked in log AND message: '********' , Not Secret: 'Not secret!'
[Pipeline] }
[Pipeline] // wrap
[Pipeline] }
[Pipeline] // logstash
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

Kibana

See attachment
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

marcus.a.philip@gmail.com (JIRA)

unread,
Aug 20, 2018, 4:52:02 AM8/20/18
to jenkinsc...@googlegroups.com
Marcus Philip updated an issue
Change By: Marcus Philip
Password parameter types are sent in clear text to Logstash together with the other build variables ({{data.buildVariables.}}) when using Logstash wrapper in pipeline.  That is not acceptable.

I don't know if this ever worked correctly for pipeline.

I do know that we have a working password masking in the Jenkins build log using {{MaskPasswordsBuildWrapper}}.


Problem is very easy to reproduce. Here is a minimal (scripted) parametrized pipeline that shows the problem. It has a "Password Parameter" (hudson.model.PasswordParameterDefinition) named {{SECRET}} defined in job.
{code:java}

node('java8') {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
        logstash {
            echo "SECRET NOT masked in message: ${SECRET}"
        }
    }
    
    logstash {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
            echo "SECRET masked in message: ${SECRET}"
        }
    }
}
{code}

It seems that the message is masked, given that you put the {{MaskPasswordsBuildWrapper}} inside the {{logstash}} wrapper, but this does change the fact that the secret is in {{data.buildVariables.SECRET}} in Logstash.

h3. Same for declarative pipeline

h4. Pipeline config
{code}

pipeline {
    agent { label 'java8' }
    parameters {
        string(name: 'NOT_SECRET', defaultValue: 'Not secret!')
        password(name: 'SECRET', defaultValue: '')
    }
    stages {
        stage('Log') {
            steps {
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                    logstash {
                     echo "Secret masked in log but NOT in message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
    
                logstash {
                    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                     echo "Secret masked in log AND message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
            }
        }
    }
}
{code}

h4. Jenkins build logs
{noformat}
{noformat}

h4. Kibana
See attachment

marcus.a.philip@gmail.com (JIRA)

unread,
Aug 20, 2018, 4:53:02 AM8/20/18
to jenkinsc...@googlegroups.com
Marcus Philip updated an issue
Password parameter types are sent in clear text to Logstash together with the other build variables ({{data.buildVariables.}}) when using Logstash wrapper in pipeline. That is not acceptable.

I don't know if this ever worked correctly for pipeline.

I do know that we have a working password masking in the Jenkins build log _build log_ using {{MaskPasswordsBuildWrapper}}.

marcus.a.philip@gmail.com (JIRA)

unread,
Aug 20, 2018, 4:57:03 AM8/20/18
to jenkinsc...@googlegroups.com
Marcus Philip updated an issue
Password parameter types are sent in clear text to Logstash together with the other build variables ({{data.buildVariables.}}) when using Logstash wrapper in pipeline. That is not acceptable.

I don't know if this ever worked correctly for pipeline.

I do know that we have a working password masking in the Jenkins _build log_ using {{MaskPasswordsBuildWrapper}}.


Problem is very easy to reproduce. Here is a minimal (scripted) parametrized pipeline that shows the problem. It has a "Password Parameter" (hudson.model.PasswordParameterDefinition) named {{SECRET}} defined in job.

h3. Scripted parametrized pipeline
{code:java}
node('java8') {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
        logstash {
            echo "SECRET NOT masked in message: ${SECRET}"
        }
    }
    
    logstash {
        wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
            echo "SECRET masked in message: ${SECRET}"
        }
    }
}
{code}
It seems that the message is masked, given that you put the {{MaskPasswordsBuildWrapper}} inside the {{logstash}} wrapper, but this does change the fact that the secret is in {{data.buildVariables.SECRET}} in Logstash.
h3 h2 . Same for declarative pipeline

 h4 h3 . Pipeline config

{code}
pipeline {
    agent { label 'java8' }
    parameters {
        string(name: 'NOT_SECRET', defaultValue: 'Not secret!')
        password(name: 'SECRET', defaultValue: '')
    }
    stages {
        stage('Log') {
            steps {
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                    logstash {
                     echo "Secret masked in log but NOT in message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
    
                logstash {
                    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: SECRET]]]) {
                     echo "Secret masked in log AND message: '${SECRET}' , Not Secret: '${NOT_SECRET}'"
                    }
                }
            }
        }
    }
}
{code}

h4 h3 . Jenkins build logs
h4 h3 . Kibana
See attachment
h2. Summary
Sumarizing, the problems are:
# In both scripted and declarative pipeline, secret params are sent as build variable in clear text (Critical).
# Logstash wrapper _inside_ the mask password wrapper in scripted pipeline makes the latter not work (Major).
Reply all
Reply to author
Forward
0 new messages