Community
Participate
Working Groups
If a user creates a job with a password parameter which stores a default password another user with only Build and Read privileges can read that stored password from the DOM. This is the contents of of the inspected password element <td class="setting-main"> <div name="parameter" description="Test Password"> <input type="hidden" value="TEST_PWD" name="name"></input> <input class="setting-input " type="password" value="OhNo!" name="value"></input> </div> </td> Steps to reproduce 1. Turn on security and create two users, one with all rights and one with only Overall Read, and Job, Read and Build. 2. As the privileged user create a job that takes a password parameter and store a default password against it. 3. As the restricted user build the job, on the parameter page inspect the properties of the password field. The class has the value shown in plain text. (see above)
Fixed. https://git.eclipse.org/c/hudson/org.eclipse.hudson.core.git/commit/?id=ae41eb6db97845e68ce2173d0ce1b605ef14d82e
Retested with these steps and I can still see the supposedly hidden value in the dom tree for the hidden element <input name="value" type="password" class="setting-input " value="DONOTSHOW">
There are two places. - Parameter defining in job Configuration. I substitute dummy password (*****) if user has no configure permission, because user can only view the configuration not submit. Seems to be fixed. - Parameter value setting while start building a job (Here I can not substitute dummy password, other wise dummy password will be submitted to run the job, so password has to be actual password) Let me see if I can send encrypted password while start building job. Other option is not to allowing default password.
The Eclipse Hudson project has been terminated and archived.