[JIRA] (JENKINS-59504) Credentials shown in plaintext in Splunk Console Output

stanislav.bebej@aconic.eu (JIRA)

unread,

Sep 24, 2019, 5:25:02 AM9/24/19

to jenkinsc...@googlegroups.com

Stanislav Bebej created an issue

Jenkins /

JENKINS-59504

Credentials shown in plaintext in Splunk Console Output

Issue Type:	Bug
Assignee:	Ted
Attachments:	console.log, jenkins-system-info.txt, Jenkinsfile
Components:	splunk-devops-plugin
Created:	2019-09-24 09:24
Environment:	OS: CentOS Linux release 7.6.1810 Java: OpenJDK Runtime Environment (build 1.8.0_222-b10) Jenkins: 2.176.3 LTS splunk-devops - 1.8.1 splunk-devops-extend - 1.8.1 Splunk Enterprise - 7.3.1.1, build: 7651b7244cf2 Splunk App for Jenkins - 2.0.2
Priority:	Minor
Reporter:	Stanislav Bebej

Hello,

I am having difficulties hiding sensitive information from Jenkins console log when sending to Splunk using splunk-devops* plugins and Splunk App for Jenkins.

I tried using both ways of handling credentials in Jenkins (https://jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials), using declarative pipeline with:

credentials() helper method in environment section, credentials type Username with password
withCredentials step in stage, credentials type Username with password

If used within the pipeline the information does not get propagated to Splunk (which is probably OK).

If used in conjunction with for example the 'sh' step, in the first case, the credentials are propagated in plaintext to Splunk, in second case only asterisks (as expected) are propagated:

(Output from Splunk

1569315490.309	2019-09-24T08:58:10.309+0000 + echo 'Username and Password: myusername:mysecretpassword'
1569315490.309	2019-09-24T08:58:10.309+0000 Username and Password: myusername:mysecretpassword
1569315490.636	2019-09-24T08:58:10.636+0000 + echo 'Username: ****'
1569315490.636	2019-09-24T08:58:10.636+0000 Username: ****
1569315490.910	2019-09-24T08:58:10.910+0000 + echo 'Password: ****'
1569315490.910	2019-09-24T08:58:10.910+0000 Password: ****

When inspecting the Jenkins console log (see attachment), credentials are properly masked as expected.

Am I using it wrong? Is the plugin compatible only with "withCredentials" step?

Thank you for your help.

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

xiao.xj@outlook.com (JIRA)

unread,

Sep 27, 2019, 5:23:02 AM9/27/19

to jenkinsc...@googlegroups.com

Ted updated an issue

Jenkins /

JENKINS-59504

Credentials shown in plaintext in Splunk Console Output

Change By:	Ted
Attachment:	Screen Shot 2019-09-27 at 5.17.58 PM.png

Add Comment

xiao.xj@outlook.com (JIRA)

unread,

Sep 27, 2019, 5:30:02 AM9/27/19

to jenkinsc...@googlegroups.com

Ted commented on

JENKINS-59504

Re: Credentials shown in plaintext in Splunk Console Output

If you click the "pipeline steps" on job build page, you will find out something like this

The step env step executed first before sendSplunkConsoleLog

 
                                                                  environment {
    userAndPass = credentials('5d407101-23e0-43e7-83b6-badfdd189698')
  }

And because sendSplunkConsoleLog is wrapped inside the scope, it sees the clear text instead of masked ones, just like other steps inside withCredentials such as

 
                                                                        withCredentials([usernameColonPassword(credentialsId: '5d407101-23e0-43e7-83b6-badfdd189698', variable: 'abc')]) {
          // sh step sees the clear text actually
           sh "echo $abc > /tmp/abc.txt" 
        }

I think it is specific to declarative pipeline design: environment step has higher order.

In the contract, we can control the order of execution in scripted pipeline, such as

 
                                                                sendSplunkConsoleLog {
    node {
        echo "testing console log"
        withCredentials([usernameColonPassword(credentialsId: 'blah', variable: 'abc')]) {
           echo abc
           sh "echo $abc"
           echo "hello there"
        }
        echo "done"
    }
}
 
                                                            