[JIRA] (JENKINS-10326) Password is exposed in build metadata.

Tue, 14 Feb 2012 08:37:38 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=159014#comment-159014
 ] 

Rob Petti commented on JENKINS-10326:
-------------------------------------

No progress has been made, mostly because it isn't an issue so long as your 
server is secure. If you want, you can look at the PerforceTagAction 
implementation. It should be changed so that instead of storing the Depot 
object as a member variable, it calls getDepot on the PerforceSCM object for 
the project in question when it's needed. That will prevent the password from 
being serialized in plain text, while still allowing tagging to work. At least 
that's the theory...

I should point out that this is only an issue if you grant access to the build 
metadata in the first place (ie, the build.xml files within the Jenkins home 
directory). It's important to realize that if other people have access to the 
Jenkins XML files, fixing this issue _will not make your server any more 
secure_. The password is still stored in encrypted form in the project config 
xml, but it's easily decrypted by someone who knows where to look for the 
decryption algorithm.
                
> Password is exposed in build metadata.
> --------------------------------------
>
>                 Key: JENKINS-10326
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-10326
>             Project: Jenkins
>          Issue Type: Bug
>          Components: perforce
>         Environment: Perforce Plugin 1.2.8
>            Reporter: Rob Petti
>            Assignee: Rob Petti
>            Priority: Critical
>
> I've recently discovered that the perforce plugin stores the perforce 
> password plain text in the build.xml files used for serializing build 
> information. This seems to be a side effect of the PerforceTagAction 
> including the Depot object for later use during tagging, which has the 
> password inside it. This may or may not depend upon JENKINS-2947, as that 
> would eliminate the need for the Depot object to be stored.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to