SECURITY-3499

Author: Kevin-CB

pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>5.1</version>
+    <version>5.9</version>
     <relativePath/>
   </parent>
 
@@ -17,8 +17,11 @@
   <url>https://github.com/jenkinsci/${project.artifactId}-plugin</url>
   <properties>
     <changelist>999999-SNAPSHOT</changelist>
-    <jenkins.version>2.479</jenkins.version>
+    <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
+    <jenkins.baseline>2.479</jenkins.baseline>
+    <jenkins.version>${jenkins.baseline}.3</jenkins.version>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
+    <useBeta>true</useBeta> <!-- FailureHandler -->
   </properties>
   <licenses>
     <license>
@@ -51,11 +54,23 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.462.x</artifactId>
-        <version>3435.v238d66a_043fb_</version>
+        <artifactId>bom-${jenkins.baseline}.x</artifactId>
+        <version>4488.v7fe26526366e</version>
         <scope>import</scope>
         <type>pom</type>
       </dependency>
+      <!-- TODO: Remove once the BOM has caught up -->
+      <dependency>
+        <groupId>org.jenkins-ci.plugins.workflow</groupId>
+        <artifactId>workflow-step-api</artifactId>
+        <version>704.ve4f0967e98fa_</version>
+      </dependency>
+      <!-- TODO: Remove once the BOM has caught up -->
+      <dependency>
+        <groupId>org.jenkins-ci.plugins.workflow</groupId>
+        <artifactId>workflow-cps</artifactId>
+        <version>4106.4108.v841a_e1819d4d</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <dependencies>

src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java

@@ -57,6 +57,7 @@
 import org.jenkinsci.plugins.workflow.steps.BodyExecutionCallback;
 import org.jenkinsci.plugins.workflow.steps.BodyInvoker;
 import org.jenkinsci.plugins.workflow.steps.EnvironmentExpander;
+import org.jenkinsci.plugins.workflow.steps.FailureHandler;
 import org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution;
 import org.jenkinsci.plugins.workflow.steps.MissingContextVariableException;
 import org.jenkinsci.plugins.workflow.steps.Step;
@@ -140,13 +141,32 @@ private void doStart() throws Exception {
                     v -> unix ? "$" + v : "%" + v + "%"
                 ).collect(Collectors.joining(" or ")));
             }
+
             getContext().newBodyInvoker().
                     withContext(EnvironmentExpander.merge(getContext().get(EnvironmentExpander.class), new Overrider(secretOverrides, publicOverrides))).
                     withContext(BodyInvoker.mergeConsoleLogFilters(getContext().get(ConsoleLogFilter.class), new Filter(secretOverrides.values(), run.getCharset().name()))).
+                    withContext(FailureHandler.merge(getContext().get(FailureHandler.class), new Handler(secretOverrides.values()))).
                     withCallback(new Callback2(unbinders)).
                     start();
         }
 
+        private static final class Handler implements FailureHandler {
+
+            private static final long serialVersionUID = 1;
+
+            private final Secret secretPattern;
+
+            Handler(Collection<String> secrets) {
+                this.secretPattern = Secret.fromString(SecretPatterns.getAggregateSecretPattern(secrets).pattern());
+            }
+
+            @NonNull
+            @Override
+            public Throwable handle(@NonNull StepContext ctx, @NonNull Throwable t) {
+                return MaskedException.of(t, Pattern.compile(secretPattern.getPlainText()));
+            }
+        }
+
         private final class Callback2 extends TailCall {
 
             private static final long serialVersionUID = 1;

src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/MaskedException.java

@@ -0,0 +1,43 @@
+package org.jenkinsci.plugins.credentialsbinding.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Functions;
+
+import java.util.HashSet;
+import java.util.Objects;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+final class MaskedException extends Exception {
+    private static final long serialVersionUID = 1L;
+
+    static Throwable of(@NonNull Throwable unmasked, Pattern pattern) {
+        return of(unmasked, new HashSet<>(), pattern);
+    }
+
+    private static Throwable of(@NonNull Throwable unmasked, @NonNull Set<Throwable> visited, Pattern pattern) {
+        if (!visited.add(unmasked)) {
+            return new Exception("cycle");
+        }
+        var text = Functions.printThrowable(unmasked);
+        if (pattern.matcher(text).find()) {
+            var masked = new MaskedException(pattern.matcher(Objects.requireNonNullElse(unmasked.getMessage(), "")).replaceAll("****"));
+            masked.setStackTrace(unmasked.getStackTrace());
+            var cause = unmasked.getCause();
+            if (cause != null) {
+                masked.initCause(of(cause, visited, pattern));
+            }
+            for (var suppressed : unmasked.getSuppressed()) {
+                masked.addSuppressed(of(suppressed, visited, pattern));
+            }
+            return masked;
+        } else {
+            return unmasked;
+        }
+    }
+
+    private MaskedException(String message) {
+        super(message);
+    }
+
+}

src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java

@@ -46,24 +46,31 @@
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.NoSuchFileException;
 import java.util.Collections;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.stream.Collectors;
+
 import jenkins.security.QueueItemAuthenticator;
 import jenkins.security.QueueItemAuthenticatorConfiguration;
 import org.apache.commons.io.FileUtils;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl;
 import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;
 import org.jenkinsci.plugins.workflow.actions.ArgumentsAction;
+import org.jenkinsci.plugins.workflow.actions.ErrorAction;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.SnippetizerTester;
 import org.jenkinsci.plugins.workflow.flow.FlowExecution;
@@ -460,6 +467,103 @@ public void usernameUnmaskedInStepArguments() throws Throwable {
             r.assertLogContains("got: P#1", r.assertBuildStatusSuccess(p.scheduleBuild2(0).get()));
         });
     }
+
+    @Issue("SECURITY-3499")
+    @Test public void maskingExceptionInError() throws Throwable {
+        rr.then(r -> {
+            CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), new StringCredentialsImpl(CredentialsScope.GLOBAL, "creds", "sample", Secret.fromString("s3cr3t")));
+            var p = r.jenkins.createProject(WorkflowJob.class, "p");
+            p.setDefinition(new CpsFlowDefinition(
+                    """
+                            withCredentials([string(credentialsId: 'creds', variable: 'SECRET')]) {
+                                error(/should not mention $SECRET/)
+                            }
+                            """, true));
+            var b = r.buildAndAssertStatus(Result.FAILURE, p);
+            r.assertLogNotContains("s3cr3t", b);
+            r.assertLogContains("should not mention ****", b);
+            assertErrorActionsDoNotContainString(b, "s3cr3t");
+        });
+    }
+
+    @Issue("SECURITY-3499")
+    @Test public void maskingExceptionInNestedError() throws Throwable {
+        rr.then(r -> {
+            CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), new StringCredentialsImpl(CredentialsScope.GLOBAL, "creds", "sample", Secret.fromString("s3cr3t")));
+            var p = r.jenkins.createProject(WorkflowJob.class, "p");
+            p.setDefinition(new CpsFlowDefinition(
+                    """
+                            withCredentials([string(credentialsId: 'creds', variable: 'SECRET')]) {
+                                try {
+                                    error(/nested exception should not mention $SECRET/)
+                                }
+                                catch (err) {
+                                    throw new Exception("normal exception should not mention $SECRET", err)
+                                }
+                            }
+                            """, false));
+            var b = r.buildAndAssertStatus(Result.FAILURE, p);
+            r.assertLogNotContains("s3cr3t", b);
+            r.assertLogContains("nested exception should not mention ****", b);
+            r.assertLogContains("normal exception should not mention ****", b);
+            assertErrorActionsDoNotContainString(b, "s3cr3t");
+        });
+    }
+
+    @Issue("SECURITY-3499")
+    @Test public void maskingExceptionInSuppressedError() throws Throwable {
+        rr.then(r -> {
+            CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), new StringCredentialsImpl(CredentialsScope.GLOBAL, "creds", "sample", Secret.fromString("s3cr3t")));
+            var p = r.jenkins.createProject(WorkflowJob.class, "p");
+            p.setDefinition(new CpsFlowDefinition(
+                    """
+                            withCredentials([string(credentialsId: 'creds', variable: 'SECRET')]) {
+                                def main = new Exception("normal exception should not mention $SECRET")
+                                main.addSuppressed(new Exception("suppressed exception should not mention $SECRET"))
+                                throw main
+                            }
+                            """, false));
+            var b = r.buildAndAssertStatus(Result.FAILURE, p);
+            r.assertLogNotContains("s3cr3t", b);
+            r.assertLogContains("suppressed exception should not mention ****", b);
+            r.assertLogContains("normal exception should not mention ****", b);
+            assertErrorActionsDoNotContainString(b, "s3cr3t");
+        });
+    }
+
+    @Issue("SECURITY-3499")
+    @Test public void maskingExceptionForIncorrectArgs() throws Throwable {
+        rr.then(r -> {
+            CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), new StringCredentialsImpl(CredentialsScope.GLOBAL, "creds", "sample", Secret.fromString("s3cr3t")));
+            var p = r.jenkins.createProject(WorkflowJob.class, "p");
+            p.setDefinition(new CpsFlowDefinition(
+                    """
+                            withCredentials([string(credentialsId: 'creds', variable: 'SECRET')]) {
+                                writeFile([file: "creds.txt", text: "${SECRET}", encoding: 'Base64']) {
+                                }
+                            }
+                            """, false));
+            var b = r.buildAndAssertStatus(Result.FAILURE, p);
+            r.assertLogNotContains("s3cr3t", b);
+            r.assertLogContains("text=****", b);
+            assertErrorActionsDoNotContainString(b, "s3cr3t");
+        });
+    }
+
+    private void assertErrorActionsDoNotContainString(WorkflowRun b, String needle) {
+        var errorActionStackTraces = new DepthFirstScanner().allNodes(b.getExecution()).stream()
+                .map(n -> n.getPersistentAction(ErrorAction.class))
+                .filter(ea -> ea != null)
+                .map(ea -> ea.getError())
+                .map(t -> {
+                    var writer = new StringWriter();
+                    t.printStackTrace(new PrintWriter(writer));
+                    return writer.toString();
+                })
+                .collect(Collectors.toList());
+        assertThat(errorActionStackTraces, not(hasItem(containsString(needle))));
+    }
+
     private static final class SpecialCredentials extends BaseStandardCredentials implements StringCredentials {
         private Run<?, ?> build;
         SpecialCredentials(CredentialsScope scope, String id, String description) {