Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add base64 masking #269

Merged
merged 2 commits into from
Sep 14, 2023
Merged

Add base64 masking #269

merged 2 commits into from
Sep 14, 2023

Conversation

Kevin-CB
Copy link
Contributor

@Kevin-CB Kevin-CB commented Sep 6, 2023
edited
Loading

There is no support for base64-encoded credentials, and it's not an encryption method and it can be easily decoded.

To prevent base64-encoded credentials from being exposed in build logs, I added a new SecretPatternFactory for it.

Testing done

I wrote a test to ensure it was done properly on Windows and Unix-based systems but I also tested it locally with the following pipeline:

node {
    withCredentials([usernamePassword(credentialsId: "CredID1", usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        sh '''
            echo Base64 encoded password:
            echo -n $PASSWORD | base64
            echo "========================================"
            curl -v https://$USERNAME:$PASSWORD@google.com
            echo "========================================"
        '''
    }
}
Before:

Clear

After:

Encrypted

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
    Options
  2. Ensure that the pull request title represents the desired changelog entry
    Options
  3. Please describe what you did
    Options
  4. Link to relevant issues in GitHub or Jira
    Options
  5. Link to relevant pull requests, esp. upstream and downstream changes
    Options
  6. Ensure you have provided tests - that demonstrates feature works or fixes the issue
    Options
Loading

@Kevin-CB Kevin-CB requested a review from a team as a code owner September 6, 2023 17:46
yaroslavafenkin
yaroslavafenkin reviewed Sep 14, 2023
View reviewed changes
Copy link

@yaroslavafenkin yaroslavafenkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work well in local testing

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/Base64SecretPatternFactory.java
Base64.getUrlEncoder(),
};

Collection<String> result = new ArrayList<>();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps use Set over List?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not matter I think; all the patterns will wind up merged into one big pattern sorted by length.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

credentials-binding-plugin/src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/SecretPatterns.java

Lines 61 to 65 in b19cfc6

.flatMap(input ->
secretPatternFactories.stream().flatMap(factory ->
factory.getEncodedForms(input).stream()))
.sorted(BY_LENGTH_DESCENDING)
.distinct()

@jglick
Copy link
Member

jglick commented Sep 14, 2023

Ready to go I think; @daniel-beck or @Wadeck or anyone else want to take a look?

Wadeck
Wadeck approved these changes Sep 14, 2023
View reviewed changes
Copy link
Contributor

@Wadeck Wadeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not manually tested this version, but looks very similar to what I expected 👍

@jglick jglick merged commit 55f1275 into jenkinsci:master Sep 14, 2023
14 checks passed
@MarkEWaite MarkEWaite mentioned this pull request Sep 16, 2023
Closed
@jglick jglick mentioned this pull request Sep 18, 2023
Merged
6 tasks
@jglick
Copy link
Member

jglick commented Sep 18, 2023

Check jenkinsci/config-file-provider-plugin#296.

@jglick jglick mentioned this pull request Dec 1, 2023
Merged
@jglick jglick mentioned this pull request Apr 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

@yaroslavafenkin yaroslavafenkin yaroslavafenkin left review comments

@Wadeck Wadeck Wadeck approved these changes

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
4 participants
@Kevin-CB @jglick @Wadeck @yaroslavafenkin