Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mask the Authorization header #22

Merged
merged 1 commit into from
Dec 21, 2016

Conversation

HaroldPutman
Copy link
Contributor

@HaroldPutman HaroldPutman commented Nov 15, 2016

Address issue JENKINS-39744 by always masking the “Authorization” header value.

This pipeline script

#!groovy

httpRequest httpMode: 'GET',
  url: "https://httpbin.org/get",
  customHeaders: [[name: 'Authorization', value: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="]]

Gives this result.

[Pipeline] httpRequest
HttpMode: GET
URL: https://httpbin.org/get
Authorization: *****
Sending request to url: https://httpbin.org/get
Response Code: HTTP/1.1 200 OK
Success code from [100‥399]
[Pipeline] End of Pipeline

instead of echoing the value Basic dXNlcm5hbWU6cGFzc3dvcmQ= which is easily decoded into username:password.

Address issue JENKINS-39744 by always masking the “Authorization” header value.
@HaroldPutman
Copy link
Contributor Author

@janario ?

@fatganz
Copy link

fatganz commented Dec 12, 2016

This definitely would be useful! I am dealing with Github token and really feel that masking it will improve our security :)

@HaroldPutman
Copy link
Contributor Author

Until this PR is incorporated, Here is a workaround that depends on the Mask Passwords plugin.

def creds = "user:secret"
String auth = creds.bytes.encodeBase64().toString()
wrap([
    $class: 'MaskPasswordsBuildWrapper',
    varPasswordPairs: [[var: 'XYZ', password: auth]]
    ]) {
    httpRequest httpMode: 'GET',
        url: "https://httpbin.org/get",
        customHeaders: [[name: 'Authorization', value: "Basic $auth"]]
}
'''

@wpc009
Copy link

wpc009 commented Dec 15, 2016

Should have some configurable options to turn the verbose print off.

@wpc009
Copy link

wpc009 commented Dec 15, 2016

It's should be debugging purpose only

@janario janario merged commit a8548ac into jenkinsci:master Dec 21, 2016
@janario
Copy link
Member

janario commented Dec 21, 2016

Merged.
Thanks, I'm going to release it soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants