diff --git a/pom.xml b/pom.xml
index 86d3238f..0d5f6397 100644
--- a/pom.xml
+++ b/pom.xml
@@ -77,6 +77,7 @@
org.jenkins-ci.plugins.workflow
workflow-step-api
+ 2.23-SNAPSHOT
org.jenkins-ci.plugins
diff --git a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
index 74b19721..742c1718 100644
--- a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
+++ b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
@@ -37,6 +37,7 @@
import java.io.IOException;
import java.io.ObjectStreamException;
import java.io.OutputStream;
+import java.io.PrintStream;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
@@ -67,6 +68,7 @@
import org.jenkinsci.plugins.workflow.steps.StepExecution;
import org.kohsuke.stapler.DataBoundConstructor;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
/**
@@ -172,6 +174,7 @@ private static final class Overrider extends EnvironmentExpander {
private static final long serialVersionUID = 1;
private final Map overrides = new HashMap();
+ private final Set foundVars = new HashSet<>();
Overrider(Map overrides) {
for (Map.Entry override : overrides.entrySet()) {
@@ -183,10 +186,26 @@ private static final class Overrider extends EnvironmentExpander {
for (Map.Entry override : overrides.entrySet()) {
String keyOverride = override.getKey();
env.override(keyOverride, override.getValue().getPlainText());
- env.setWatchedVar(keyOverride);
+ this.watch(keyOverride, override.getValue().getPlainText());
}
}
+ @CheckForNull
+ @Override
+ public List findWatchedVars(String text) {
+ List hits = super.findWatchedVars(text);
+ if (hits != null) {
+ foundVars.addAll(hits);
+ }
+ return hits;
+ }
+
+ @Override public void callback(PrintStream stream) {
+ if (!foundVars.isEmpty()) {
+ stream.println("The following Groovy string may be insecure. Use single quotes to prevent leaking secrets via Groovy interpolation. Affected variables: " + foundVars.toString());
+ foundVars.clear();
+ }
+ }
}
/** Similar to {@code MaskPasswordsOutputStream}. */