Bug 1837362 - Sensitive data exposed on pipeline failure
Summary: Sensitive data exposed on pipeline failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-19 10:54 UTC by Akram Ben Aissi
Modified: 2020-07-13 17:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:40:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift jenkins-client-plugin pull 327 0 None closed Bug 1837362: Sensitive data exposed on pipeline failure 2020-08-11 05:56:13 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:40:18 UTC

Description Akram Ben Aissi 2020-05-19 10:54:28 UTC 
When creating a secret using this plugin, oc apply failures will show the output in the Jenkins Job output. This can lead to leakage of sensitive data. E.g.

Using this task:
OpenShift - Create Resource(s)

apiVersion: v1
kind: Secret
metadata:
  name:  secretname
data:
   secretKey: YWRtaW4K
   secret: xxxxK
type: Opaque
Will fail with the following output:

Started by user anonymous
Building in workspace /Users/rmaloku/work/jenkins-client-plugin/work/jobs/test/workspace
Executing: oc --server=https://kubernetes.docker.internal:6443 --certificate-authority= --namespace=default --token=XXXXX create -f /var/folders/r5/dh4_6p_91r90wkxmkw957g0w0000gn/T/markup4721899811229862180.tmp 
Error from server (BadRequest): error when creating "/var/folders/r5/dh4_6p_91r90wkxmkw957g0w0000gn/T/markup4721899811229862180.tmp": Secret in version "v1" cannot be handled as a Secret: v1.Secret.Data: decode base64: illegal base64 data at input byte 4, error found in #10 byte of ...|t":"xxxxK","secretKe|..., bigger context ...|{"apiVersion":"v1","data":{"secret":"xxxxK","secretKey":"YWRtaW4K"},"kind":"Secret","metadata|...
Client tool terminated with status: 1
Build step 'OpenShift - Create Resource(s)' marked build as failure
Finished: FAILURE
This being the important line: {"secret":"xxxxK","secretKey":"YWRtaW4K"},"kind":"Secret","metadata|...

This can be fixed by one of the two ways:

Reading the entire output and then regex-ing and redacting the sensitive data.
Or have a flag that asap some sensitive keywords are noticed (e.g. "Secret") turns off logging to the command line.
I'd prefer the first approach as we would be able to provide the user with more details without leaking sensitive data.

If you see this as a beneficial addition to the plugin, please share your suggestions with me and I will work on it.
Comment 4 errata-xmlrpc 2020-07-13 17:40:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409
Note You need to log in before you can comment on or make changes to this bug.