SECURITY-2519

(cherry picked from commit a68ff7e)
jenkinsci · Feb 9, 2022 · c06f654 · c06f654
1 parent 1df0d1b
commit c06f654
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/src/main/java/org/jenkinsci/plugins/workflow/support/steps/build/BuildTriggerStep.java b/src/main/java/org/jenkinsci/plugins/workflow/support/steps/build/BuildTriggerStep.java
@@ -10,6 +10,7 @@
 import hudson.model.ParameterDefinition;
 import hudson.model.ParameterValue;
 import hudson.model.ParametersDefinitionProperty;
+import hudson.model.PasswordParameterDefinition;
 import hudson.model.PasswordParameterValue;
 import hudson.model.Queue;
 import hudson.util.FormValidation;
@@ -117,7 +118,13 @@ public DescriptorImpl() {
                             if (d == null) {
                                 throw new IllegalArgumentException("No such parameter definition: " + name);
                             }
-                            ParameterValue parameterValue = d.createValue(req, jo);
+                            ParameterValue parameterValue;
+                            if (d instanceof PasswordParameterDefinition) {
+                                parameterValue = req.bindJSON(PasswordParameterValue.class, jo);
+                                parameterValue.setDescription(d.getDescription());
+                            } else {
+                                parameterValue = d.createValue(req, jo);
+                            }
                             if (parameterValue != null) {
                                 values.add(parameterValue);
                             } else {

diff --git a/src/test/java/org/jenkinsci/plugins/workflow/support/steps/build/BuildTriggerStepTest.java b/src/test/java/org/jenkinsci/plugins/workflow/support/steps/build/BuildTriggerStepTest.java
@@ -41,6 +41,7 @@
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
+
 import jenkins.branch.MultiBranchProjectFactory;
 import jenkins.branch.MultiBranchProjectFactoryDescriptor;
 import jenkins.branch.OrganizationFolder;
@@ -805,6 +806,19 @@ public void buildStepDocs() throws Exception {
         j.assertLogContains("Credential: credential-id", ds.getBuildByNumber(1));
     }
 
+    @Issue("SECURITY-2519")
+    @Test public void generateSnippetForBuildTriggerWhenDefaultPasswordParameterThenDoNotReturnRealPassword() throws Exception {
+        SnippetizerTester st = new SnippetizerTester(j);
+        FreeStyleProject us = j.createProject(FreeStyleProject.class, "project1");
+        us.addProperty(new ParametersDefinitionProperty(
+                new PasswordParameterDefinition("password", "mySecret", "description")
+        ));
+
+        String snippet = "build job: 'project1', parameters: [password(name: 'password', description: 'description', value: '" + PasswordParameterDefinition.DEFAULT_VALUE + "')]";
+
+        st.assertGenerateSnippet("{'stapler-class':'" + BuildTriggerStep.class.getName() + "', 'job':'project1', 'parameter': {'name': 'password', 'description': 'description', 'value': '" + PasswordParameterDefinition.DEFAULT_VALUE + "'}}", snippet, us.getAbsoluteUrl() + "configure");
+    }
+
     private static ParameterValue getParameter(Run<?, ?> run, String parameterName) {
         return run.getAction(ParametersAction.class).getParameter(parameterName);
     }