Hi,
I tried to upgrade *Jenkins core*, *org.jenkins-ci.plugins:plugin *, but I
still got same results. =/
Since I am using *hudson.Launcher *and the main reason to fix the security
issue is to hide a command line password, how can I get the output and do a
replace ( something like *logString**.replace('password', '****'**)* )
before do to the final output ?
Thanks.
Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio
escreveu:
> Hi Daniel,
>
> Even removing all double quotes I got the same error.
>
> Jenkins:
> [image: image.png]
>
> CMD:
> [image: image.png]
>
>
> I am already using hudson.Launcher (please check line 467
> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/blob/master/src/main/java/org/jenkinsci/plugins/sqlplus/script/runner/SQLPlusRunner.java>).
>
>
>
> Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a
> newer one... any suggestions ?
>
> Thanks.
>
>
> On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <db...@cloudbees.com> wrote:
>
>> I would look into Windows batch quoting rules. I think the double quotes
>> become part of the actual value or some other weirdness. Ideally you could
>> write a small tool that just echoes the command line args it receives, and
>> then use that in place of sqlplus to see what actually gets passed to the
>> application.
>>
>> Alternatively, you may be able to switch from wrapper scripts to launch
>> your programs using hudson.Launcher but I'm not sure how well the
>> masking would work as a part of an argument without masking the entire
>> argument.
>>
>>
>> On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <boa...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> How are you today ?
>>>
>>> I am the sqlplus-script-runner plugin maintainer , this plugin is
>>> basically a wrapper to use Oracle SQL Plus
>>> <https://en.wikipedia.org/wiki/SQL_Plus> by command line.
>>>
>>> This plugin is around since 2015, and due to a recent security issue
>>> <https://issues.jenkins-ci.org/browse/SECURITY-2129>, I did a
>>> workaround/fix to hide user's password.
>>>
>>> - Before release 2.0.12:
>>>
>>> <sqlplus> user/"password"@databaseInstance @customSQLscript
>>>
>>> - Current release 2.0.13:
>>>
>>> HIDDING_PASSWORD=password (by envVars.put)
>>>
>>> Linux: *<sqlplus> user/"$HIDDING_PASSWORD"@databaseInstance
>>> @customSQLscript*
>>> Windows: <sqlplus> user/"%HIDDING_PASSWORD%"@databaseInstance
>>> @customSQLscript
>>>
>>> *Linux*: work flawlessly
>>> *Windows*: doesn't work, I get invalid user/password , some users can't
>>> use it
>>> <https://github.com/jenkinsci/sqlplus-script-runner-plugin/issues/55>
>>>
>>> Example:
>>> C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE
>>> @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
>>>
>>>
>>> ERROR: *ORA-01017: invalid username/password; logon denied*
>>>
>>> I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD
>>> variable is correct and I got no errors.
>>>
>>> *File sqlplus.cmd:*
>>>
>>>
>>>
>>>
>>>
>>> *echo " CMD " echo HIDDEN_PASSWORD=fb echo ORACLE_HOME=C:\instantclient
>>> cd C:\instantclient\ C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE
>>> @C:\instantclient\teste.sql *
>>>
>>> *Output:*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> * c:\jenkins\workspace\test-sql-slave>echo " CMD " " CMD "
>>> c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
>>> HIDDEN_PASSWORD=fbc:\jenkins\workspace\test-sql-slave>echo
>>> ORACLE_HOME=C:\instantclient
>>> ORACLE_HOME=C:\instantclientc:\jenkins\workspace\test-sql-slave>cd
>>> C:\instantclient\ C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE
>>> @C:\instantclient\teste.sql SQL*Plus: Release 19.0.0.0.0 - Production on
>>> Thu Nov 5 04:25:23 2020Version 19.6.0.0.0Copyright (c) 1982, 2019, Oracle.
>>> All rights reserved.Connected to:Oracle Database 11g Express Edition
>>> Release 11.2.0.2.0 - 64bit ProductionUSER is "FB"Disconnected from Oracle
>>> Database 11g Express Edition Release 11.2.0.2.0 - 64bit ProductionProcesso
>>> terminou com status
>>> 0--------------------------------------------------------------------------Finished:
>>>
>>> SUCCESS*
>>>
>>> I am out of ideas, is there any issue related to EnvVars ?
>>>
>>> This plugin is based on Jenkins 2.176.3 .
>>>
>>> Thanks for you help =)
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to jenkinsci-de...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>>
>> Daniel Beck
>> Senior Software Engineer
>> CloudBees, Inc.
>>
>>
>>
>>
>> --
>>
> You received this message because you are subscribed to a topic in the
>> Google Groups "Jenkins Developers" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> jenkinsci-de...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com
>>
>> <https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
>
> Fernando boaglioboa...@gmail.com | www.boaglio.com
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com.
