BitBucket SCM url contains token in URL
Hildebrand-Ritense opened this issue · 3 comments
Jenkins and plugins versions report
Environment
Jenkins: 2.350
OS: Linux - 4.14.275-142.503.amzn1.x86_64
---
ace-editor:1.1
amazon-ecr:1.73.v741d474abe74
analysis-model-api:10.10.1
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
autocomplete-parameter:1.1
aws-beanstalk-publisher-plugin:1.8.2
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.215-339.vdc07efc5320c
aws-java-sdk-cloudformation:1.12.215-339.vdc07efc5320c
aws-java-sdk-codebuild:1.12.215-339.vdc07efc5320c
aws-java-sdk-ec2:1.12.215-339.vdc07efc5320c
aws-java-sdk-ecr:1.12.215-339.vdc07efc5320c
aws-java-sdk-ecs:1.12.215-339.vdc07efc5320c
aws-java-sdk-elasticbeanstalk:1.12.215-339.vdc07efc5320c
aws-java-sdk-iam:1.12.215-339.vdc07efc5320c
aws-java-sdk-logs:1.12.215-339.vdc07efc5320c
aws-java-sdk-minimal:1.12.215-339.vdc07efc5320c
aws-java-sdk-ssm:1.12.215-339.vdc07efc5320c
basic-branch-build-strategies:1.3.2
bitbucket-oauth:0.12
bootstrap4-api:4.6.0-5
bootstrap5-api:5.1.3-7
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
build-timeout:1.21
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-bitbucket-branch-source:773.v4b_9b_005b_562b_
cloudbees-folder:6.729.v2b_9d1a_74d673
command-launcher:84.v4a_97f2027398
conditional-buildstep:1.4.2
config-file-provider:3.10.0
copyartifact:1.46.4
credentials:1129.vef26f5df883c
credentials-binding:523.vd859a_4b_122e6
data-tables-api:1.11.4-4
delivery-pipeline-plugin:1.4.2
dependency-check-jenkins-plugin:5.1.2
display-url-api:2.3.6
docker-commons:1.19
docker-workflow:1.28
durable-task:496.va67c6f9eefa7
ec2-fleet:2.5.1
echarts-api:5.3.2-2
email-ext:2.88
envinject:2.866.v5c0403e3d4df
envinject-api:1.199.v3ce31253ed13
font-awesome-api:6.1.1-1
forensics-api:1.13.0
git:4.11.3
git-client:3.11.0
git-server:1.11
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1637.vd833b_7ca_7654
gradle:1.39
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
http_request:1.15
ignore-committer-strategy:1.0.4
jackson2-api:2.13.3-285.vc03c0256d517
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.79
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-4
jsch:0.1.55.2
junit:1119.va_a_5e9068da_d7
lockable-resources:2.15
mailer:414.vcc4c33714601
matrix-project:771.v574584b_39e60
maven-plugin:3.19
mercurial:2.16.2
momentjs:1.1.1
next-build-number:1.8
nodejs:1.5.1
okhttp-api:4.9.3-105.vb96869f8ac3a
parameterized-trigger:2.44
pipeline-aws:1.43
pipeline-build-step:2.18
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:591.v3a_7f422b_d058
pipeline-input-step:448.v37cea_9a_10a_70
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2086.v12b_420f036e5
pipeline-model-definition:2.2086.v12b_420f036e5
pipeline-model-extensions:2.2086.v12b_420f036e5
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2086.v12b_420f036e5
pipeline-stage-view:2.24
plain-credentials:1.8
plugin-util-api:2.17.0
popper-api:1.16.1-3
popper2-api:2.11.5-2
prism-api:1.28.0-2
remote-file:1.22
resource-disposer:0.19
run-condition:1.5
scm-api:608.vfa_f971c5a_a_e9
script-security:1175.v4b_d517d6db_f0
slack:608.v19e3b_44b_b_9ff
snakeyaml-api:1.30.1
sonar:2.14
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.814.vc82988f54b_10
sshd:3.237.v883d165a_c1d3
structs:318.va_f3ccb_729b_71
timestamper:1.17
token-macro:293.v283932a_0a_b_49
trilead-api:1.57.v6e90e07157e1
variant:1.4
warnings-ng:9.12.0
workflow-aggregator:581.v0c46fa_697ffd
workflow-api:1164.v760c223ddb_32
workflow-basic-steps:948.v2c72a_091b_b_68
workflow-cps:2725.v7b_c717eb_12ce
workflow-durable-task-step:1144.vd77b_57189936
workflow-job:1186.v8def1a_5f3944
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:625.vd896b_f445a_f8
workflow-support:820.vd1a_6cc65ef33
ws-cleanup:0.42
What Operating System are you using (both controller, and any agents involved in the problem)?
Linux 4.14.275-142.503.amzn1.x86_64 #1 SMP Fri Apr 15 00:03:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Reproduction steps
- Navigate to a multibranch pipeline project
- Select a branch
- Select a build
- Inspect the SCM repository URL
Expected Results
https://bitbucket.org/MyWorkspace/my-repo
Actual Results
Repository: https://x-token-auth:{my_very_long_and_random_token}@bitbucket.org/MyWorkspace/my-repo.git
Anything else?
For some reason all of a sudden the full BitBucket auth token is shown in plain text on every build page and in the console logs. It's unclear to me which dependency exactly has caused this, but I'm guessing it's got something to do with BitBucket or SSH auth as I'm not seeing the same with Multibranch GitHub projects.
It seems not necessary to include the token, even in plain sight, in the display URL, or at all. Who can explain this change?
Slightly related: https://issues.jenkins.io/browse/JENKINS-66692?jql=resolution%20is%20EMPTY%20AND%20component%20%3D%20bitbucket-branch-source-plugin
I've further looked into this and it's only occurring when using OAuth credentials. My solution now is to use an App password instead.
For others stumbling across this; switch from using OAuth credentials to App passwords.