sqlplus-script-runner help - MS Windows issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

sqlplus-script-runner help - MS Windows issue

Fernando Boaglio
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Daniel Beck-2
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Fernando Boaglio
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CADuSYLV%2BvVU5tRa7z9OicfVgaRdO1jX8Atbx4JRmkUNL7rP5Hg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Fernando Boaglio
Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio escreveu:
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Gavin Mogan
Are you using credentials system? Free style or pipeline? Afaik credentials should be masked in your build output. At least in pipeline when you use credentials() or withCredentials. I'm not sure how it gets triggered in freestyle.

On Sat., Nov. 7, 2020, 10:26 p.m. Fernando Boaglio, <[hidden email]> wrote:
Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio escreveu:
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c5b308be-ac20-4186-b82a-f40d8fb48448n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuujrMaoPEB%2BrA3dtW-rcpTH%2BeOPgDbtR1NQRZ2-ehC9g%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Fernando Boaglio
Yes, I am using credentials system, to get password I use credentials.getPassword().getPlainText() and it is not masked =/


Em domingo, 8 de novembro de 2020 às 03:32:25 UTC-3, [hidden email] escreveu:
Are you using credentials system? Free style or pipeline? Afaik credentials should be masked in your build output. At least in pipeline when you use credentials() or withCredentials. I'm not sure how it gets triggered in freestyle.

On Sat., Nov. 7, 2020, 10:26 p.m. Fernando Boaglio, <[hidden email]> wrote:
Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio escreveu:
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/48e1ad66-88af-4bcb-9701-26e6692343c3n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

James Nord-2

are you using the ArgumentListBuilder and addMasked

https://javadoc.jenkins-ci.org/hudson/util/ArgumentListBuilder.html#addMasked-java.lang.String-
as per https://javadoc.jenkins-ci.org/hudson/Launcher.html#launch--

if not you need to tell Jenkins that the nth argument should be masked (but you would be better off with the builder)
On Sunday, 8 November 2020 at 07:30:08 UTC [hidden email] wrote:
Yes, I am using credentials system, to get password I use credentials.getPassword().getPlainText() and it is not masked =/


Em domingo, 8 de novembro de 2020 às 03:32:25 UTC-3, [hidden email] escreveu:
Are you using credentials system? Free style or pipeline? Afaik credentials should be masked in your build output. At least in pipeline when you use credentials() or withCredentials. I'm not sure how it gets triggered in freestyle.

On Sat., Nov. 7, 2020, 10:26 p.m. Fernando Boaglio, <[hidden email]> wrote:
Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio escreveu:
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e3ddad39-5c04-4786-8064-97a2829ab619n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: sqlplus-script-runner help - MS Windows issue

Fernando Boaglio
Thank you James, addMasked did it !   \o/

Fixed windows issue and passwords hidden at release 2.0.14 =)

Thank you guys.


On Sun, Nov 8, 2020 at 7:54 PM James Nord <[hidden email]> wrote:

are you using the ArgumentListBuilder and addMasked


if not you need to tell Jenkins that the nth argument should be masked (but you would be better off with the builder)
On Sunday, 8 November 2020 at 07:30:08 UTC [hidden email] wrote:
Yes, I am using credentials system, to get password I use credentials.getPassword().getPlainText() and it is not masked =/


Em domingo, 8 de novembro de 2020 às 03:32:25 UTC-3, [hidden email] escreveu:
Are you using credentials system? Free style or pipeline? Afaik credentials should be masked in your build output. At least in pipeline when you use credentials() or withCredentials. I'm not sure how it gets triggered in freestyle.

On Sat., Nov. 7, 2020, 10:26 p.m. Fernando Boaglio, <[hidden email]> wrote:
Hi,

I tried to upgrade Jenkins core, org.jenkins-ci.plugins:plugin , but I still got same results.  =/

Since I am using hudson.Launcher and the main reason to fix the security issue is to hide a command line password, how can I get the output and do a replace ( something like logString.replace('password', '****') )  before do to the final output ?

Thanks.

Em sexta-feira, 6 de novembro de 2020 às 10:19:41 UTC-3, Fernando Boaglio escreveu:
Hi Daniel,

Even removing all double quotes I got the same error.

Jenkins:
image.png

CMD:
image.png


I am already using hudson.Launcher (please check line 467).

Since this plugin is based on Jenkins 2.176.3 , maybe I can try to use a newer one... any suggestions ?

Thanks.


On Thu, Nov 5, 2020 at 3:53 PM Daniel Beck <[hidden email]> wrote:
I would look into Windows batch quoting rules. I think the double quotes become part of the actual value or some other weirdness. Ideally you could write a small tool that just echoes the command line args it receives, and then use that in place of sqlplus to see what actually gets passed to the application.

Alternatively, you may be able to switch from wrapper scripts to launch your programs using hudson.Launcher but I'm not sure how well the masking would work as a part of an argument without masking the entire argument.


On Thu, Nov 5, 2020 at 6:52 PM Fernando Boaglio <[hidden email]> wrote:
Hi,

How are you today ?

I am the sqlplus-script-runner plugin maintainer , this plugin is basically a wrapper to use  Oracle SQL Plus by command line.

This plugin is around since 2015, and due to a recent security issue, I did a workaround/fix to hide user's password.

- Before release 2.0.12:

<sqlplus>  user/"password"@databaseInstance  @customSQLscript

- Current release 2.0.13:

HIDDING_PASSWORD=password (by envVars.put)

Linux: <sqlplus>  user/"$HIDDING_PASSWORD"@databaseInstance  @customSQLscript
Windows: <sqlplus>  user/"%HIDDING_PASSWORD%"@databaseInstance  @customSQLscript

Linux: work flawlessly
Windows: doesn't work, I get invalid user/password , some users can't use it

Example:
C:\instantclient\bin\sqlplus.exe -L fb/"%HIDDEN_PASSWORD%"@XE @c:\jenkins\workspace\test-sql-slave\temp-script-16045792671955150761487514970585.sql
ERROR: ORA-01017: invalid username/password; logon denied

I tried to create another file (sqlplus.cmd) to check if HIDDEN_PASSWORD variable is correct and I got no errors.

File sqlplus.cmd:
echo " CMD "  
echo HIDDEN_PASSWORD=fb
echo ORACLE_HOME=C:\instantclient
cd C:\instantclient\
C:\instantclient\sqlplus.exe fb/"%HIDDEN_PASSWORD%"@XE @C:\instantclient\teste.sql

Output:
 c:\jenkins\workspace\test-sql-slave>echo " CMD "  
" CMD "
c:\jenkins\workspace\test-sql-slave>echo HIDDEN_PASSWORD=fb
HIDDEN_PASSWORD=fb
c:\jenkins\workspace\test-sql-slave>echo ORACLE_HOME=C:\instantclient
ORACLE_HOME=C:\instantclient
c:\jenkins\workspace\test-sql-slave>cd C:\instantclient\
C:\instantclient>C:\instantclient\sqlplus.exe fb/"fb"@XE @C:\instantclient\teste.sql
SQL*Plus: Release 19.0.0.0.0 - Production on Thu Nov 5 04:25:23 2020
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
USER is "FB"
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Processo terminou com status 0
--------------------------------------------------------------------------
Finished: SUCCESS


I am out of ideas, is there any issue related to EnvVars ?

This plugin is based on Jenkins 2.176.3 .

Thanks for you help =)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f25d0a51-ba77-434e-bdf1-367e7ed97c0en%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLN_82wG_Wxg2BiixjKiLCN52vK1bpgPLzHp6wL0NPF-w%40mail.gmail.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/fdtIkMUi1Vo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e3ddad39-5c04-4786-8064-97a2829ab619n%40googlegroups.com.


--
Fernando Boaglio
[hidden email] | www.boaglio.com

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CADuSYLXhHnv5FQ%2BSqbSNz0PRfS6_VAp%2BxdBHZfG-OAyTsMWuag%40mail.gmail.com.