Jenkins:withCredentials不会屏蔽Groovy脚本中的密码

fkaflof6  于 2023-02-11  发布在  Jenkins
关注(0)|答案(1)|浏览(178)

我正在使用Credentials和CredentialBinding来屏蔽传递给“bat”的凭据,这些凭据将在“net use”中使用,以便通过groovy脚本连接到共享。不幸的是,密码在控制台日志中暴露:

withCredentials([
        usernamePassword(
            credentialsId: credentialsId,
            passwordVariable: 'PASSWORD',
            usernameVariable: 'USER'
        )
    ]) {
        def user = this.env['USER'];
        def password = this.env['PASSWORD'];        
        bat "net use \\\\$server $PASSWORD /user:$user /persistent:yes"
        bat "net use"
    }

我也试着用单引号括起%PASSWORD%,但是字符串没有被插入到“net use”中。如果有什么不对劲的地方,请告诉我。

8qgya5xd

8qgya5xd1#

你可以分享你的日志,你得到(显然与密码删除)作为withCredentials应该自动屏蔽,如果你有一个合理的最新版本,即使当传递到其他进程,例如.

steps {
            withCredentials([
                usernamePassword(
                    credentialsId: "MY_CREDENTIALS",
                    passwordVariable: 'PASSWORD',
                    usernameVariable: 'USER'
                )
            ]) {
                sh "echo $PASSWORD"
                echo USER
            }
        }

仍将屏蔽密码

[Pipeline] withCredentials
Masking supported pattern matches of $USER or $PASSWORD
[Pipeline] {
[Pipeline] sh
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
     Affected argument(s) used the following variable(s): [PASSWORD]
     See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ echo ****
****
[Pipeline] echo
****
[Pipeline] }
[Pipeline] // withCredentials

另外,当您可以直接使用$PASSWORD和$USER时,这些行又有什么用呢

def user = this.env['USER'];
def password = this.env['PASSWORD'];

相关问题