From 5440970db782faad9730dba2b6994f3e3acffd3a Mon Sep 17 00:00:00 2001
From: Carroll Chiou <cchiou@cloudbees.com>
Date: Tue, 28 Jul 2020 16:00:26 -0700
Subject: [PATCH] poc 2 that uses callback

---
 pom.xml                                       |  1 +
 .../credentialsbinding/impl/BindingStep.java  | 21 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 86d3238f..0d5f6397 100644
--- a/pom.xml
+++ b/pom.xml
@@ -77,6 +77,7 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-step-api</artifactId>
+      <version>2.23-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
diff --git a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
index 74b19721..742c1718 100644
--- a/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
+++ b/src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
@@ -37,6 +37,7 @@
 import java.io.IOException;
 import java.io.ObjectStreamException;
 import java.io.OutputStream;
+import java.io.PrintStream;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -67,6 +68,7 @@
 import org.jenkinsci.plugins.workflow.steps.StepExecution;
 import org.kohsuke.stapler.DataBoundConstructor;
 
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 
 /**
@@ -172,6 +174,7 @@ private static final class Overrider extends EnvironmentExpander {
         private static final long serialVersionUID = 1;
 
         private final Map<String,Secret> overrides = new HashMap<String,Secret>();
+        private final Set<String> foundVars = new HashSet<>();
 
         Overrider(Map<String,String> overrides) {
             for (Map.Entry<String,String> override : overrides.entrySet()) {
@@ -183,10 +186,26 @@ private static final class Overrider extends EnvironmentExpander {
             for (Map.Entry<String,Secret> override : overrides.entrySet()) {
                 String keyOverride = override.getKey();
                 env.override(keyOverride, override.getValue().getPlainText());
-                env.setWatchedVar(keyOverride);
+                this.watch(keyOverride, override.getValue().getPlainText());
             }
         }
 
+        @CheckForNull
+        @Override
+        public List<String> findWatchedVars(String text) {
+            List<String> hits = super.findWatchedVars(text);
+            if (hits != null) {
+                foundVars.addAll(hits);
+            }
+            return hits;
+        }
+
+        @Override public void callback(PrintStream stream) {
+            if (!foundVars.isEmpty()) {
+                stream.println("The following Groovy string may be insecure. Use single quotes to prevent leaking secrets via Groovy interpolation. Affected variables: "  + foundVars.toString());
+                foundVars.clear();
+            }
+        }
     }
 
     /** Similar to {@code MaskPasswordsOutputStream}. */