Skip to content

Fix wrong masking of one-char-secrets in Jenkins output#284

Merged
rsandell merged 2 commits intojenkinsci:masterfrom
gallardo:bugfix-72412
Apr 29, 2024
Merged

Fix wrong masking of one-char-secrets in Jenkins output#284
rsandell merged 2 commits intojenkinsci:masterfrom
gallardo:bugfix-72412

Conversation

@gallardo
Copy link
Contributor

@gallardo gallardo commented Dec 1, 2023
edited
Loading

The fix makes sure that the Base64 secret patterns are not empty.

See https://issues.jenkins.io/browse/JENKINS-72412

Testing done

The first of these commits include unit tests to demonstrate this issue.

### Submitter checklist
- [X] Make sure you are opening from a **topic/feature/bugfix branch** (right side) and not your main branch!
- [X] Ensure that the pull request title represents the desired changelog entry
- [X] Please describe what you did
- [X] Link to relevant issues in GitHub or Jira
- [ ] Link to relevant pull requests, esp. upstream and downstream changes
- [X] Ensure you have provided tests - that demonstrates feature works or fixes the issue

@gallardo
Demonstrate wrong masking of one-char-secrets
224f989 
Test to reproduce issue JENKINS-72412.
@gallardo
Fix wrong masking of one-char-secrets
89bbe4e 
Fixes JENKINS-72412.
@gallardo gallardo requested a review from a team as a code owner December 1, 2023 17:00
@jglick jglick requested a review from Kevin-CB December 1, 2023 17:37
@jglick
Copy link
Member

jglick commented Dec 1, 2023

amending #269 FTR

@jglick
Copy link
Member

jglick commented Dec 1, 2023

Probably fine so far as it goes but I suspect what you really wanted was

diff --git src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
index c4f45cf..f062de5 100644
--- src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
+++ src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
@@ -323,6 +323,11 @@ public class GitHubAppCredentials extends BaseStandardCredentials implements Sta
         return appID;
     }
 
+    @Override
+    public boolean isUsernameSecret() {
+        return false;
+    }
+
     @NonNull
     public synchronized GitHubAppCredentials withOwner(@NonNull String owner) {
         if (this.owner != null) {

Care to test & file ^^^?

@gallardo
Copy link
Contributor Author

gallardo commented Dec 1, 2023
edited
Loading

I suspect what you really wanted was

+    @Override
+    public boolean isUsernameSecret() {
+        return false;
+    }

I'm new to Jenkins code, but if I interpret this correctly, this is absolutely what we want: https://issues.jenkins.io/browse/JENKINS-66675

@gallardo
Copy link
Contributor Author

gallardo commented Dec 1, 2023

Care to test & file ^^^?

@jglick Tested ✔️

Being you the author of the fix, it'd be more appropriate if you file the PR yourself. There is the already mentioned issue https://issues.jenkins.io/browse/JENKINS-66675 reporting on this. I have edited it to reflect that the component github-branch-source-plugin is also affected.

@jglick jglick mentioned this pull request Dec 1, 2023
Merged
@schiasileon
Copy link

schiasileon commented Jan 9, 2024

@jglick is there any update on this? this is messing up a few of our build logs

@jglick
Copy link
Member

jglick commented Jan 9, 2024

@schiasileon do you have some one-character passwords?

…is it x?

@schiasileon
Copy link

schiasileon commented Jan 9, 2024

@schiasileon do you have some one-character passwords?

…is it x?

This mostly concerns us as we use a custom implementation that allows for multiline secrets from vault where we have some troubles with single character lines or empty lines being treated as separate secrets. Not a huge issue, but a fix would be nice.
Also on some instances we have empty secrets due to our CasC setup that cause this issue

@jglick
Copy link
Member

jglick commented Jan 9, 2024

a custom implementation

Of what?

multiline secrets from vault where we have some troubles with single character lines or empty lines being treated as separate secrets

Secret masking does not support multiline secrets. You have to use a secret file type. Perhaps this plugin should be improved to at least print a warning if a secret includes a line terminator, since at least its raw form cannot possibly match. (An input with a newline could still be masked in its Base64 form, but you are still in danger of accidentally printing it without Base64 encoding.)

we have empty secrets due to our CasC setup

AFAICT empty “secrets” are already ignored

credentials-binding-plugin/src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/SecretPatterns.java

Line 60 in 89bbe4e

.filter(input -> !input.isEmpty())
but perhaps that only applies to the actual secret as opposed to the encoded form? I think the more general fix here is to just move the filter down a line (or duplicate it) since it is the encoded form, rather than the original “secret” per se, which cannot be empty in the final regexp. maskingOfOneCharSecretShouldNotMangleOutput should still cover the change.

@realies
Copy link

realies commented Apr 6, 2024
edited
Loading

@jglick, all output inside withCredentials is masked. This is hugely inconvenient to debug. Could someone please take a look at this?

@jglick jglick mentioned this pull request Apr 24, 2024
Merged
@rsandell rsandell merged commit b3559cf into jenkinsci:master Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglick jglick jglick left review comments

@Kevin-CB Kevin-CB Awaiting requested review from Kevin-CB

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gallardo @jglick @schiasileon @realies @rsandell