[JENKINS-56674] Mask environment variable if they passed in case of inside docker image run

[vkravets]

Resolves https://issues.jenkins-ci.org/browse/JENKINS-56674

I would like to propose and show which issue exists with masked env variables during such case

node {
  withDockerContainer('ubuntu') {
    env.TEST_PWD = 'pwd12345'
    withDockerContainer('ubuntu') {
      withDockerContainer('ubuntu') {
		sh('echo test')
      }
    }
  }
}

So the output of job will have include env variable which can contains sensitive data (first part of docker exec):

 6.514 [prj #1] [Pipeline] node
   6.617 [prj #1] Running on master in /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj
   6.617 [prj #1] [Pipeline] {
   7.814 [prj #1] [Pipeline] withDockerContainer
   7.814 [prj #1] Jenkins does not seem to be running inside a container
   7.815 [prj #1] $ docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat
   7.815 [prj #1] $ docker top c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 -eo pid,comm
   7.815 [prj #1] [Pipeline] {
  10.504 [prj #1] [Pipeline] withDockerContainer
  10.504 [prj #1] ERROR: Failed to parse docker version. Please note there is a minimum docker version requirement of v1.7.
  10.505 [prj #1] Jenkins does not seem to be running inside a container
  10.505 [prj #1] $ docker exec --env BUILD_DISPLAY_NAME=#1 --env BUILD_ID=1 --env BUILD_NUMBER=1 --env BUILD_TAG=jenkins-prj-1 --env BUILD_URL=http://localhost:56168/jenkins/job/prj/1/ --env CLASSPATH= --env EXECUTOR_NUMBER=1 --env HUDSON_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env HUDSON_SERVER_COOKIE=586ce441e4ad2814 --env HUDSON_URL=http://localhost:56168/jenkins/ --env JENKINS_HOME=/Users/vkravets/work/my/docker-workflow-plugin/./tmp --env JENKINS_SERVER_COOKIE=586ce441e4ad2814 --env JENKINS_URL=http://localhost:56168/jenkins/ --env JOB_BASE_NAME=prj --env JOB_NAME=prj --env JOB_URL=http://localhost:56168/jenkins/job/prj/ --env NODE_LABELS=master --env NODE_NAME=master --env TEST_PWD=pwd12345 --env workspace=/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj c44d7264133f649cc80cc97aae11272e00c5023efe9c34e86d69ea71dc7beb91 docker run -t -d -u 501:20 -w /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj:rw,z -v /Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:/Users/vkravets/work/my/docker-workflow-plugin/tmp/workspace/prj@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** ubuntu cat

As you can see second docker run (which is wrapped by docker exec logged all env variables) which is not security

[vkravets]

Guys, sorry that disturb you, but I think this should be fixed asap, since it's a security issue... Could you please review?
@jglick @ndeloof @abayer

[conn]

You shouldn't hardcode passwords in your Jenkinsfile or anywhere in your repositories.

Values in environment variables that are also provided by the credentials API will be masked in console output when docker.inside is ran. Values that are not provided by the credentials API are at risk of being leaked via other means.

Unless my understanding of how credentials and console output work together is flawed, this wouldn't be a risk for anyone that is retrieving credentials via appropriate channels.

[vkravets]

Yes we should not, case which I've shown in test it's just a test, environment variable can be field from any source(vault, file, DB, credentials api or something else) and passed to process by env... In the same way all environment variable in the end of command masked, but at the beginning not.

The case which I've try to described appeared only in case of recursive call of which is covered by logic of this step, but not masked env variables... Try to look at the code and I hope you will understand what I mean.... @conn

[vkravets]

Unless my understanding of how credentials and console output work together is flawed, this wouldn't be a risk for anyone that is retrieving credentials via appropriate channels.

@conn not a true, since you can get credentials from any source and it will not logged in plain text but in case if it filled as env and passed to inContainer it will logged in the docker exec command which is trying to pass all env variables as command parameters

[vkravets]

@jglick @ndeloof @abayer is it possible to review this PR?

[jglick]

This is not a plausible test case. I am working on a clearer one.

[jglick]

see #167

[dwnusbaum]

Thanks for the PR @vkravets! I've just merged #167 which includes this PR.