jenkinsci · jglick · May 31, 2019 · Apr 9, 2019 · May 3, 2019 · May 3, 2019
@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>3.42</version>
+    <version>3.43</version>
     <relativePath />
   </parent>
 
@@ -95,13 +95,13 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-durable-task-step</artifactId>
-      <version>2.5</version>
+      <version>2.12</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>durable-task</artifactId>
-      <version>1.13</version>
+      <version>1.14</version>
       <scope>test</scope>
     </dependency>
     <dependency>

@@ -37,22 +37,15 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
-import java.util.Comparator;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
 import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException;
-import org.kohsuke.accmod.Restricted;
-import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
 
 /**
@@ -169,32 +162,4 @@ public abstract MultiEnvironment bind(@Nonnull Run<?,?> build,
         return (BindingDescriptor<C>) super.getDescriptor();
     }
 
-    private static final Comparator<String> stringLengthComparator = new Comparator<String>() {
-        @Override
-        public int compare(String o1, String o2) {
-            return o2.length() - o1.length();
-        }
-    };
-
-    /**
-     * Utility method for turning a collection of secret strings into a single {@link String} for pattern compilation.
-     * @param secrets A collection of secret strings
-     * @return A {@link String} generated from that collection.
-     */
-    @Restricted(NoExternalUse.class)
-    public static String getPatternStringForSecrets(Collection<String> secrets) {
-        StringBuilder b = new StringBuilder();
-        List<String> sortedByLength = new ArrayList<String>(secrets);
-        Collections.sort(sortedByLength, stringLengthComparator);
-
-        for (String secret : sortedByLength) {
-            if (!secret.isEmpty()) {
-                if (b.length() > 0) {
-                    b.append('|');
-                }
-                b.append(Pattern.quote(secret));
-            }
-        }
-        return b.toString();
-    }
 }
@@ -54,6 +54,7 @@
 
 import org.apache.commons.codec.Charsets;
 import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
+import org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns;
 import org.jenkinsci.plugins.workflow.steps.AbstractStepExecutionImpl;
 import org.jenkinsci.plugins.workflow.steps.BodyExecutionCallback;
 import org.jenkinsci.plugins.workflow.steps.BodyInvoker;
@@ -195,7 +196,7 @@ private static final class Filter extends ConsoleLogFilter implements Serializab
         private String charsetName;
 
         Filter(Collection<String> secrets, String charsetName) {
-            pattern = Secret.fromString(MultiBinding.getPatternStringForSecrets(secrets));
+            pattern = Secret.fromString(SecretPatterns.getAggregateSecretPattern(secrets).pattern());
             this.charsetName = charsetName;
         }
 

@@ -35,6 +35,7 @@
 import hudson.tasks.BuildWrapper;
 import hudson.tasks.BuildWrapperDescriptor;
 import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
+import org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns;
 import org.kohsuke.stapler.DataBoundConstructor;
 
 import javax.annotation.CheckForNull;
@@ -60,7 +61,7 @@ public class SecretBuildWrapper extends BuildWrapper {
      */
     public static @CheckForNull Pattern getPatternForBuild(@Nonnull AbstractBuild<?, ?> build) {
         if (secretsForBuild.containsKey(build)) {
-            return Pattern.compile(MultiBinding.getPatternStringForSecrets(secretsForBuild.get(build)));
+            return SecretPatterns.getAggregateSecretPattern(secretsForBuild.get(build));
         } else {
             return null;
         }

@@ -0,0 +1,72 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.credentialsbinding.masking;
+
+import hudson.Extension;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.annotation.Nonnull;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.regex.Pattern;
+
+@Extension
+@Restricted(NoExternalUse.class)
+public class BashSecretPatternFactory implements SecretPatternFactory {
+
+    private static final Pattern QUOTED_CHARS = Pattern.compile("(\\\\)(\\\\?)");
+
+    private @Nonnull String getQuotedForm(@Nonnull String input) {
+        StringBuilder sb = new StringBuilder(input.length());
+        for (int i = 0; i < input.length(); i++) {
+            char c = input.charAt(i);
+            if (c == '\'') {
+                sb.append("'\\''");
+            } else {
+                sb.append(c);
+            }
+        }
+        return sb.toString();
+    }
+
+    private @Nonnull String surroundWithQuotes(@Nonnull String input) {
+        return "'" + input + "'";
+    }
+
+    private @Nonnull String getUnquotedForm(@Nonnull String input) {
+        return QUOTED_CHARS.matcher(input).replaceAll("$2");
+    }
+
+    @Override
+    public @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input) {
+        Collection<Pattern> patterns = new HashSet<>();
+        String quotedForm = getQuotedForm(input);
+        patterns.add(SecretPatternFactory.quotedCompile(quotedForm));
+        patterns.add(SecretPatternFactory.quotedCompile(surroundWithQuotes(quotedForm)));
+        patterns.add(SecretPatternFactory.quotedCompile(getUnquotedForm(input)));
+        return patterns;
+    }
+}
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.credentialsbinding.masking;
+
+import hudson.Extension;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.annotation.Nonnull;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.regex.Pattern;
+
+@Extension
+@Restricted(NoExternalUse.class)
+public class BatchSecretPatternFactory implements SecretPatternFactory {
+    private static final Pattern QUOTED_CHARS = Pattern.compile("(\\^)(\\^?)");
+
+    @Override
+    public @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input) {
+        return input.contains("^")
+                ? Collections.singleton(SecretPatternFactory.quotedCompile(QUOTED_CHARS.matcher(input).replaceAll("$2")))
+                : Collections.emptySet();
+    }
+}
@@ -0,0 +1,47 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.credentialsbinding.masking;
+
+import hudson.Extension;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.annotation.Nonnull;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.regex.Pattern;
+
+/**
+ * Trivial secret pattern factory that matches the literal value of the secret.
+ */
+@Extension
+@Restricted(NoExternalUse.class)
+public class LiteralSecretPatternFactory implements SecretPatternFactory {
+    @Nonnull
+    @Override
+    public Collection<Pattern> getSecretPatterns(@Nonnull String input) {
+        return Collections.singleton(SecretPatternFactory.quotedCompile(input));
+    }
+}
@@ -0,0 +1,61 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.credentialsbinding.masking;
+
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+
+import javax.annotation.Nonnull;
+import java.util.Collection;
+import java.util.regex.Pattern;
+
+/**
+ * Creates regular expressions to match encoded forms of secrets in logs.
+ * These are typically implemented to handle various shell quoting algorithms (sometimes confused with escaping) to
+ * pass literal string values to an interpreter.
+ */
+public interface SecretPatternFactory extends ExtensionPoint {
+
+    /**
+     * Returns a collection of alternative forms the given input may show up as in logs.
+     * Note that these patterns must embed their flags in the pattern rather than as parameters to Pattern.
+     */
+    @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input);
+
+    /**
+     * Returns all SecretPatternFactory extensions known at runtime.
+     */
+    static @Nonnull ExtensionList<SecretPatternFactory> all() {
+        return ExtensionList.lookup(SecretPatternFactory.class);
+    }
+
+    /**
+     * Composes {@link Pattern#compile(String)} and {@link Pattern#quote(String)} for convenience.
+     */
+    static @Nonnull Pattern quotedCompile(@Nonnull String input) {
+        return Pattern.compile(Pattern.quote(input));
+    }
+
+}