[JIRA] [credentials-binding-plugin] (JENKINS-27631) Do not even temporarily save secrets in Workflow build record

[jgl...@cloudbees.com (JIRA)]

Jesse Glick created JENKINS-27631 Do not even temporarily save secrets in Workflow build record Issue Type: Bug Assignee: Jesse Glick Components: credentials-binding-plugin Created: 26/Mar/15 4:24 PM Description: Currently when you use withCredentials with e.g. UsernamePasswordMultiBinding, the secret is saved in program.dat for the duration of the block. It is later removed, but it would be safer if it were guaranteed to never be persisted at all. That seems to require an API change: either in EnvVars to allow a given variable to be directly marked as secret and thus to be persisted only via Secret, or by lifting up sensitiveBuildVariables from AbstractBuild to Run, or by allowing BodyInvoker.withContext to provide something like an environment variable factory rather than a raw EnvVars. Project: Jenkins Labels: security workflow api Priority: Major Reporter: Jesse Glick

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.