poc 2 that uses callback

jenkinsci · Jul 28, 2020 · 5440970 · 5440970
1 parent 7773288
commit 5440970
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -77,6 +77,7 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-step-api</artifactId>
+      <version>2.23-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>

diff --git a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
@@ -37,6 +37,7 @@
 import java.io.IOException;
 import java.io.ObjectStreamException;
 import java.io.OutputStream;
+import java.io.PrintStream;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -67,6 +68,7 @@
 import org.jenkinsci.plugins.workflow.steps.StepExecution;
 import org.kohsuke.stapler.DataBoundConstructor;
 
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 
 /**
@@ -172,6 +174,7 @@ private static final class Overrider extends EnvironmentExpander {
         private static final long serialVersionUID = 1;
 
         private final Map<String,Secret> overrides = new HashMap<String,Secret>();
+        private final Set<String> foundVars = new HashSet<>();
 
         Overrider(Map<String,String> overrides) {
             for (Map.Entry<String,String> override : overrides.entrySet()) {
@@ -183,10 +186,26 @@ private static final class Overrider extends EnvironmentExpander {
             for (Map.Entry<String,Secret> override : overrides.entrySet()) {
                 String keyOverride = override.getKey();
                 env.override(keyOverride, override.getValue().getPlainText());
-                env.setWatchedVar(keyOverride);
+                this.watch(keyOverride, override.getValue().getPlainText());
             }
         }
 
+        @CheckForNull
+        @Override
+        public List<String> findWatchedVars(String text) {
+            List<String> hits = super.findWatchedVars(text);
+            if (hits != null) {
+                foundVars.addAll(hits);
+            }
+            return hits;
+        }
+
+        @Override public void callback(PrintStream stream) {
+            if (!foundVars.isEmpty()) {
+                stream.println("The following Groovy string may be insecure. Use single quotes to prevent leaking secrets via Groovy interpolation. Affected variables: "  + foundVars.toString());
+                foundVars.clear();
+            }
+        }
     }
 
     /** Similar to {@code MaskPasswordsOutputStream}. */