are you using the ArgumentListBuilder and addMasked https://javadoc.jenkins-ci.org/hudson/util/ArgumentListBuilder.html#addMasked-java.lang.String- as per https://javadoc.jenkins-ci.org/hudson/Launcher.html#launch--
if not you need to tell Jenkins that the nth argument should be masked (but you would be better off with the builder) On Sunday, 8 November 2020 at 07:30:08 UTC [email protected] wrote: > Yes, I am using credentials system, to get password I use > *credentials.getPassword().getPlainText()* and it is not masked =/ > > > Em domingo, 8 de novembro de 2020 às 03:32:25 UTC-3, [email protected] > escreveu: > >> Are you using credentials system? Free style or pipeline? Afaik >> credentials should be masked in your build output. At least in pipeline >> when you use credentials() or withCredentials. I'm not sure how it gets >> triggered in freestyle. >> >> On Sat., Nov. 7, 2020, 10:26 p.m. Fernando Boaglio, <[email protected]> >> wrote: >> >>> Hi, >>> >>> I tried to upgrade *Jenkins core*, *org.jenkins-ci.plugins:plugin *, >>> but I still got same results. =/ >>> >>> Since I am using *hudson.Launcher *and the main reason to fix the >>> security issue is to hide a command line password, how can I get the output >>> and do a replace ( something like *logString**.replace('password', >>> '****'**)* ) before do to the final output ? >>> >>> Thanks. >>> >>> Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando >>> Boaglio escreveu: >>> >>>> Hi Daniel, >>>> >>>> Even removing all double quotes I got the same error. >>>> >>>> Jenkins: >>>> [image: image.png] >>>> >>>> CMD: >>>> [image: image.png] >>>> >>>> >>>> I am already using hudson.Launcher (please check line 467 >>>> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/blob/master/src/main/java/org/jenkinsci/plugins/sqlplus/script/runner/SQLPlusRunner.java>). >>>> >>>> >>>> >>>> Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use >>>> a newer one... any suggestions ? >>>> >>>> Thanks. >>>> >>>> >>>> On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[email protected]> wrote: >>>> >>>>> I would look into Windows batch quoting rules. I think the double >>>>> quotes become part of the actual value or some other weirdness. Ideally >>>>> you >>>>> could write a small tool that just echoes the command line args it >>>>> receives, and then use that in place of sqlplus to see what actually gets >>>>> passed to the application. >>>>> >>>>> Alternatively, you may be able to switch from wrapper scripts to >>>>> launch your programs using hudson.Launcher but I'm not sure how well >>>>> the masking would work as a part of an argument without masking the >>>>> entire >>>>> argument. >>>>> >>>>> >>>>> On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> How are you today ? >>>>>> >>>>>> I am the sqlplus-script-runner plugin maintainer , this plugin is >>>>>> basically a wrapper to use Oracle SQL Plus >>>>>> <https://en.wikipedia.org/wiki/SQL_Plus> by command line. >>>>>> >>>>>> This plugin is around since 2015, and due to a recent security issue >>>>>> <https://issues.jenkins-ci.org/browse/SECURITY-2129>, I did a >>>>>> workaround/fix to hide user's password. >>>>>> >>>>>> - Before release 2.0.12: >>>>>> >>>>>> <sqlplus> user/"password"@databaseInstance @customSQLscript >>>>>> >>>>>> - Current release 2.0.13: >>>>>> >>>>>> HIDDING_PASSWORD=password (by envVars.put) >>>>>> >>>>>> Linux: *<sqlplus> user/"$HIDDING_PASSWORD"@databaseInstance >>>>>> @customSQLscript* >>>>>> Windows: <sqlplus> user/"%HIDDING_PASSWORD%"@databaseInstance >>>>>> @customSQLscript >>>>>> >>>>>> *Linux*: work flawlessly >>>>>> *Windows*: doesn't work, I get invalid user/password , some users >>>>>> can't use it >>>>>> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/issues/55> >>>>>> >>>>>> Example: >>>>>> C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE >>>>>> @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql >>>>>> >>>>>> >>>>>> ERROR: *ORA-01017: invalid username/password; logon denied* >>>>>> >>>>>> I tried to create another file (sqlplus.cmd) to check if >>>>>> HIDDEN_PASSWORD variable is correct and I got no errors. >>>>>> >>>>>> *File sqlplus.cmd:* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *echo " CMD " echo HIDDEN_PASSWORD=fb echo >>>>>> ORACLE_HOME=C:\instantclient cd C:\instantclient\ >>>>>> C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE >>>>>> @C:\instantclient\teste.sql * >>>>>> >>>>>> *Output:* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> * c:\jenkins\workspace\test-sql-slave>echo " CMD " " CMD " >>>>>> c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb >>>>>> HIDDEN_PASSWORD=fbc:\jenkins\workspace\test-sql-slave>echo >>>>>> ORACLE_HOME=C:\instantclient >>>>>> ORACLE_HOME=C:\instantclientc:\jenkins\workspace\test-sql-slave>cd >>>>>> C:\instantclient\ C:\instantclient>C:\instantclient\sqlplus.exe >>>>>> fb/"fb"@XE >>>>>> @C:\instantclient\teste.sql SQL*Plus: Release 19.0.0.0.0 - Production on >>>>>> Thu Nov 5 04:25:23 2020Version 19.6.0.0.0Copyright (c) 1982, 2019, >>>>>> Oracle. >>>>>> All rights reserved.Connected to:Oracle Database 11g Express Edition >>>>>> Release 11.2.0.2.0 - 64bit ProductionUSER is "FB"Disconnected from >>>>>> Oracle >>>>>> Database 11g Express Edition Release 11.2.0.2.0 - 64bit >>>>>> ProductionProcesso >>>>>> terminou com status >>>>>> 0--------------------------------------------------------------------------Finished: >>>>>> >>>>>> SUCCESS* >>>>>> >>>>>> I am out of ideas, is there any issue related to EnvVars ? >>>>>> >>>>>> This plugin is based on Jenkins 2.176.3 . >>>>>> >>>>>> Thanks for you help =) >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Jenkins Developers" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Daniel Beck >>>>> Senior Software Engineer >>>>> CloudBees, Inc. >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "Jenkins Developers" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe >>>>> . >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> >>>> Fernando [email protected] | www.boaglio.com >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e3ddad39-5c04-4786-8064-97a2829ab619n%40googlegroups.com.
