Hi,
I tried to upgrade *Jenkins core*, *org.jenkins-ci.plugins:plugin *, but I
still got same results. =/
Since I am using *hudson.Launcher *and the main reason to fix the security
issue is to hide a command line password, how can I get the output and do a
replace ( something like *logString**.replace('password', '****'**)* )
before do to the final output ?
Thanks.
Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio
escreveu:
> Hi Daniel,
>
> Even removing all double quotes I got the same error.
>
> Jenkins:
> [image: image.png]
>
> CMD:
> [image: image.png]
>
>
> I am already using hudson.Launcher (please check line 467
> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/blob/master/src/main/java/org/jenkinsci/plugins/sqlplus/script/runner/SQLPlusRunner.java>).
>
>
>
> Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a
> newer one... any suggestions ?
>
> Thanks.
>
>
> On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[email protected]> wrote:
>
>> I would look into Windows batch quoting rules. I think the double quotes
>> become part of the actual value or some other weirdness. Ideally you could
>> write a small tool that just echoes the command line args it receives, and
>> then use that in place of sqlplus to see what actually gets passed to the
>> application.
>>
>> Alternatively, you may be able to switch from wrapper scripts to launch
>> your programs using hudson.Launcher but I'm not sure how well the
>> masking would work as a part of an argument without masking the entire
>> argument.
>>
>>
>> On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> How are you today ?
>>>
>>> I am the sqlplus-script-runner plugin maintainer , this plugin is
>>> basically a wrapper to use Oracle SQL Plus
>>> <https://en.wikipedia.org/wiki/SQL_Plus> by command line.
>>>
>>> This plugin is around since 2015, and due to a recent security issue
>>> <https://issues.jenkins-ci.org/browse/SECURITY-2129>, I did a
>>> workaround/fix to hide user's password.
>>>
>>> - Before release 2.0.12:
>>>
>>> <sqlplus> user/"password"@databaseInstance @customSQLscript
>>>
>>> - Current release 2.0.13:
>>>
>>> HIDDING_PASSWORD=password (by envVars.put)
>>>
>>> Linux: *<sqlplus> user/"$HIDDING_PASSWORD"@databaseInstance
>>> @customSQLscript*
>>> Windows: <sqlplus> user/"%HIDDING_PASSWORD%"@databaseInstance
>>> @customSQLscript
>>>
>>> *Linux*: work flawlessly
>>> *Windows*: doesn't work, I get invalid user/password , some users can't
>>> use it
>>> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/issues/55>
>>>
>>> Example:
>>> C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE
>>> @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
>>>
>>>
>>> ERROR: *ORA-01017: invalid username/password; logon denied*
>>>
>>> I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD
>>> variable is correct and I got no errors.
>>>
>>> *File sqlplus.cmd:*
>>>
>>>
>>>
>>>
>>>
>>> *echo " CMD " echo HIDDEN_PASSWORD=fb echo ORACLE_HOME=C:\instantclient
>>> cd C:\instantclient\ C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE
>>> @C:\instantclient\teste.sql *
>>>
>>> *Output:*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> * c:\jenkins\workspace\test-sql-slave>echo " CMD " " CMD "
>>> c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
>>> HIDDEN_PASSWORD=fbc:\jenkins\workspace\test-sql-slave>echo
>>> ORACLE_HOME=C:\instantclient
>>> ORACLE_HOME=C:\instantclientc:\jenkins\workspace\test-sql-slave>cd
>>> C:\instantclient\ C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE
>>> @C:\instantclient\teste.sql SQL*Plus: Release 19.0.0.0.0 - Production on
>>> Thu Nov 5 04:25:23 2020Version 19.6.0.0.0Copyright (c) 1982, 2019, Oracle.
>>> All rights reserved.Connected to:Oracle Database 11g Express Edition
>>> Release 11.2.0.2.0 - 64bit ProductionUSER is "FB"Disconnected from Oracle
>>> Database 11g Express Edition Release 11.2.0.2.0 - 64bit ProductionProcesso
>>> terminou com status
>>> 0--------------------------------------------------------------------------Finished:
>>>
>>> SUCCESS*
>>>
>>> I am out of ideas, is there any issue related to EnvVars ?
>>>
>>> This plugin is based on Jenkins 2.176.3 .
>>>
>>> Thanks for you help =)
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>>
>> Daniel Beck
>> Senior Software Engineer
>> CloudBees, Inc.
>>
>>
>>
>>
>> --
>>
> You received this message because you are subscribed to a topic in the
>> Google Groups "Jenkins Developers" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com
>>
>> <https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
>
> Fernando [email protected] | www.boaglio.com
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com.
