hashicorp-vault-plugin
hashicorp-vault-plugin copied to clipboard
Published
20 hours ago •
jenkinsci
jenkinsci
Secrets not masked in Stage Logs UI when using wrap([$class: 'VaultBuildWrapper'...
Version report
Jenkins and plugins versions report:
Jenkins: 2.319.1
OS: Linux - 5.10.76-linuxkit
---
ace-editor:1.1
ant:1.13
antisamy-markup-formatter:2.5
apache-httpcomponents-client-4-api:4.5.13-1.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-3
bouncycastle-api:2.25
branch-api:2.7.0
build-timeout:1.20
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.16
command-launcher:1.6
credentials:2.6.2
credentials-binding:1.27
display-url-api:2.3.5
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-1
email-ext:2.86
font-awesome-api:5.15.4-4
git:4.10.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.301-378.v9807bd746da5
github-branch-source:2.11.3
gradle:1.37.1
handlebars:3.0.8
hashicorp-vault-plugin:336.v182c0fbaaeb7
jackson2-api:2.13.0-230.v59243c64b0a5
jaxb:2.3.0.1
jdk-tool:1.5
jjwt-api:0.11.2-9.c8b45b8bb173
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
lockable-resources:2.12
mailer:1.34
matrix-auth:2.6.11
matrix-project:1.19
momentjs:1.1.1
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.6.1
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.12
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
plain-credentials:1.7
plugin-util-api:2.6.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
resource-disposer:0.16
scm-api:2.6.5
script-security:1.78
snakeyaml-api:1.29.1
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:308.v852b473a2b8c
timestamper:1.15
token-macro:267.vcdaea6462991
trilead-api:1.0.13
workflow-aggregator:2.6
workflow-api:1105.v3de5e2efac97
workflow-basic-steps:2.24
workflow-cps:2640.v00e79c8113de
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1102.v9c8d2f466adb
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:613.v375732a042b1
workflow-support:3.8
ws-cleanup:0.39
- What Operating System are you using (both controller, and any agents involved in the problem)?
Linux (Docker Desktop version 20.10.11, build dea9396 on MacOS 11.6.1)
Docker contianer: jenkins/jenkins:2.319.1-lts-jdk11
Reproduction steps
Masking a secret with wrap([$class: 'VaultBuildWrapper'... fails on the Stage View
- Create secret in Vault. Path:
secret/thesecretKey:thekeyValue:omgmysecrethere - Configure Jenkins to use vault
- Run the following pipeline
def secrets = [
[path: 'secret/thesecret', secretValues: [
[envVar: 'THESECRET', vaultKey: 'thekey']]]
]
pipeline {
agent any
stages {
stage('Prepare') {
steps {
script {
wrap([$class: 'VaultBuildWrapper', vaultSecrets: secrets]) {
RUNCMD="""echo heres my secret: ${THESECRET} ..did it show up"""
sh "${RUNCMD}"
}
}
}
}
}
}
This produces the following:
However, the same pipeline using withVault works fine.
def secrets = [
[path: 'secret/thesecret', secretValues: [
[envVar: 'THESECRET', vaultKey: 'thekey']]]
]
pipeline {
agent any
stages {
stage('Prepare') {
steps {
script {
withVault([vaultSecrets: secrets]) {
RUNCMD="""echo heres my secret: ${THESECRET} ..did it show up"""
sh "${RUNCMD}"
}
}
}
}
}
}
Results
Expected result:
For it to show up like the latter.
Actual result:
See above.
Even we are seeing this issue in our environment. We understand there is a simple fix to move out of double quotes to single quotes when invoking shell script in the pipeline. But we can't control our users to do that. It will be a good fix at plugin level.
Do let us know if some work is going on or some strategy to handle this secrets exposure.
