-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-73471] Restore passing credentialsId to the GitSCM #867
base: master
Are you sure you want to change the base?
Conversation
I don't know if Yaroslav is still active in the Jenkins project. It is unfortunate that ad359b3 did not add any tests. Here are the reproduction steps from the security ticket though to check if it regresses the fix manually:
|
@Dohbedoh Yaroslav asked me to pass on some info from when he worked on the security ticket initially. The reason he made the one-line change that you are proposing to revert in this PR has to do with unusual behavior he saw while testing:
Log
After that comment he changed the line in question to stop passing He doesn't think that your change would regress the security fix, the question is just whether the error that he saw when the code was like you have it in the PR now is representative of a real bug that would affect users or is just some kind of environmental or configuration issue. |
Thanks!
|
Allright, so actually this cannot work .. In I wonder why we don't decorate the client at the end of the If unit tests are required, I would need more time to provide them.. |
This solution has limitation I think. The extension is not used when polling:
Maybe it's best to wait for jenkinsci/git-plugin#1649 .. That would complement what we are doing here. |
26ccca2
to
0847bd9
Compare
git-plugin 5.5.0 has been released. cc @jenkinsci/bitbucket-branch-source-plugin-developers |
2f82472
to
6a23a48
Compare
…b_fdd149d to 3358.vea_fa_1f41504d
6a23a48
to
fb52504
Compare
Alternately, revert ad359b3 and just use a https://javadoc.jenkins.io/plugin/workflow-api/org/jenkinsci/plugins/workflow/log/TaskListenerDecorator.Factory.html which is triggered by the use of this SCM source and which masks any |
@jglick The decorator would solve the leakage in the console output but I recall another source.. I think the "Changes" page that of a job with GitSCM that displays the remote URL. Using secrets in the GitSCM remote URL is a problem. |
I was thinking of splitting this into 2 PRs.
We need to make sure the We would coordinate the fix in the following order::
WDYT @jenkinsci/bitbucket-branch-source-plugin-developers ? |
Make https://github.com/jenkinsci/git-plugin/blob/f7b32740f2abfc148692fe0d4628c094eed31798/src/main/java/hudson/plugins/git/util/BuildData.java#L92 strip any authentication fields out of URLs before storing them. |
Proposal to fix #862. Reinstore the
credentialsId
in theGitSCM
configuration.It would also guarantee that credentials usage is still tracked. Checking down the line, GitClient still uses the authenticator credentials reference.
@yaroslavafenkin Per my understanding, the issue that
SECURITY-3363
fixes was the clone link of the OAuth Authenticator at https://github.com/jenkinsci/bitbucket-branch-source-plugin/blob/886.v44cf5e4ecec5/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthAuthenticator.java#L48-L57 ? In which case instantiating the GitSCM with thecredentialsId
is fine ? I am not sure what is the scenario to validate that this does not bring back this security problem ?Your checklist for this pull request