<< Back to previous view

[QB-2622] CLONE -Secret variables can be referenced by clear-text variables, exposing the secret values
Created: 11/Jan/16  Updated: 21/Dec/16

Status: Closed
Project: QuickBuild
Component/s: None
Affects Version/s: 5.0.31
Fix Version/s: 5.1.1

Type: Bug Priority: Minor
Reporter: Irina Kotlova Assigned To: Unassigned
Resolution: Won't Fix Votes: 0
Remaining Estimate: Unknown Time Spent: Unknown
Original Estimate: Unknown


 Description   
When a clear-text variable references a secret variable, then anywhere that the clear-text variable gets referenced will show the secret value in clear text--for example, the Variables list for a build, the build log, etc. An example:

1) Define a secret variable, mySecretVar, and set it to "mysecret"
2) Define a clear text variable, myClearVar, and set it to "${vars.getValue("mySecretVar")}
3) After a build, myClearVar will show up in the Variables tab with its value in clear text, and possibly also in the build log depending on how it is used.

 Comments   
Comment by Irina Kotlova [ 11/Jan/16 10:44 PM ]
It seems like the problem still persists in this scenario:
1) Set 'passwords' as a secret variable with some value.
2) Create parallel step RunAccountsInParallel, create sequential child step in it: ForEachAccount with repeat parameter ACCOUNT.
3) Create 2 child steps in ForEachAccount: SetVariables (type Execute a Script) and RunAnt (type Ant).
4) Update 'passwords' variable in SetVariables step: ${groovy: vars.get("passwords").setValue(util.readFileAsString(new java.io.File(<path_to_file_with_comma_separated_passwords_string_inside>)))}.
5) In the next step - RunAnt - run Ant with the property PASSWORD=${groovy: vars.getValue("passwords").split(",")[params.get("ACCOUNT").toInteger()]}
6) Look in the log - password is exposed as clear value.

QuickBuild 6.1
Comment by Robin Shen [ 21/Dec/16 09:17 AM ]
QB can not help much in this case, as the best thing we can do is to mask all texts equal to any password text in the log. However in this case, the password is splited and passed around, and QB does not know it is a password any more.
Generated at Tue May 21 04:39:46 UTC 2024 using JIRA 189.