Jenkins：withCredentials不会屏蔽Groovy脚本中的密码

fkaflof6 于 2023-02-11 发布在 Jenkins

关注(0)|答案(1)|浏览(177)

我正在使用Credentials和CredentialBinding来屏蔽传递给“bat”的凭据，这些凭据将在“net use”中使用，以便通过groovy脚本连接到共享。不幸的是，密码在控制台日志中暴露：

withCredentials([
        usernamePassword(
            credentialsId: credentialsId,
            passwordVariable: 'PASSWORD',
            usernameVariable: 'USER'
        )
    ]) {
        def user = this.env['USER'];
        def password = this.env['PASSWORD'];        
        bat "net use \\\\$server $PASSWORD /user:$user /persistent:yes"
        bat "net use"
    }

我也试着用单引号括起%PASSWORD%，但是字符串没有被插入到“net use”中。如果有什么不对劲的地方，请告诉我。

Jenkins

来源：https://stackoverflow.com/questions/66981226/jenkins-withcredentials-does-not-mask-passwords-in-groovy-script

1条答案

按热度按时间

8qgya5xd1#

你可以分享你的日志，你得到（显然与密码删除）作为withCredentials应该自动屏蔽，如果你有一个合理的最新版本，即使当传递到其他进程，例如.

steps {
            withCredentials([
                usernamePassword(
                    credentialsId: "MY_CREDENTIALS",
                    passwordVariable: 'PASSWORD',
                    usernameVariable: 'USER'
                )
            ]) {
                sh "echo $PASSWORD"
                echo USER
            }
        }

仍将屏蔽密码

[Pipeline] withCredentials
Masking supported pattern matches of $USER or $PASSWORD
[Pipeline] {
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
     Affected argument(s) used the following variable(s): [PASSWORD]
     See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ echo ****
****
[Pipeline] echo
****
[Pipeline] }
[Pipeline] // withCredentials

另外，当您可以直接使用$PASSWORD和$USER时，这些行又有什么用呢

def user = this.env['USER'];
def password = this.env['PASSWORD'];

赞(0）回复(0）举报 2023-02-11

我来回答

Jenkins：withCredentials不会屏蔽Groovy脚本中的密码

1条答案

相关问题

热门标签

最新问答