Skip to content

[JENKINS-72184] withEnv and withCredentials don't set environment fully #530

Open
Bug
Open
[JENKINS-72184] withEnv and withCredentials don't set environment fully#530
Bug
Labels
component:workflow-basic-steps-pluginimported-jira-issuepriority:majorresolution:unresolved
@jenkins-infra-bot

Description

@jenkins-infra-bot
jenkins-infra-bot
opened on Oct 15, 2023

Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.

withEnv(['TESTVAR=TESTVAL']) {
     echo env.dump()   // TESTVAR is not present
     echo env.getEnvironment().dump()  // TESTVAR is not present
     echo env.TESTVAR  // outputs TESTVAL
     env.TESTVAR = env.TESTVAR // Should have no effect
     echo env.dump()   // TESTVAR is now present
     echo env.getEnvironment().dump()  // TESTVAR is now present
}

The impact of this is that withCredentials blocks don't behave as expected with calls like httpRequest as the variables can't be passed in single quoted, which is a security risk.

For example this does not expand $ENV_KEY in the httpRequest case but does when sh is used

withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) {
    try {
httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY
    } catch (e) {
echo "ERROR: $e"
    }

    try {
node('master') {
    sh  'echo $ENC_KEY'   // Correctly outputs *****
    def localEnv = env.getEnvironment()
    echo localEnv.expand('${ENC_KEY} $ENC_KEY')   // Incorrectly output literal ${ENC_KEY} $ENC_KEY
}
    } catch (e) {
echo "ERROR: $e"
    }

    env.ENC_KEY = env.ENC_KEY     // Workaround for some cases
    echo env.dump()       // ENC_KEY is now present
    try {
httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY
    } catch (e) {
echo "ERROR: $e"
    }

    try {
node('master') {
    sh  'echo $ENC_KEY'   // Correctly outputs *****
    def localEnv = env.getEnvironment()
    echo localEnv.expand('${ENC_KEY} $ENC_KEY')   // Correctly outputs ***** *****
}
    } catch (e) {
echo "ERROR: $e"
    }
}

 

 

 

Originally reported by steveh, imported from: withEnv and withCredentials don't set environment fully
  • status: Open
  • priority: Major
  • component(s): workflow-basic-steps-plugin
  • resolution: Unresolved
  • votes: 0
  • watchers: 1
  • imported: 20251215-220547
Raw content of original issue 
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.




withEnv(['TESTVAR=TESTVAL']) {
     echo env.dump()                   // TESTVAR is not present
     echo env.getEnvironment().dump()  // TESTVAR is not present
     echo env.TESTVAR                  // outputs TESTVAL
     env.TESTVAR = env.TESTVAR         // Should have no effect
     echo env.dump()                   // TESTVAR is now present
     echo env.getEnvironment().dump()  // TESTVAR is now present
} 




The impact of this is that withCredentials blocks don't behave as expected with calls like httpRequest as the variables can't be passed in single quoted, which is a security risk.


For example this does not expand $ENV_KEY in the httpRequest case but does when sh is used




withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) {
    try {
        httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY
    } catch (e) {
        echo "ERROR: $e"
    }

<span class="code-keyword">try</span> {
    node(<span class="code-quote">'master'</span>) {
        sh  <span class="code-quote">'echo $ENC_KEY'</span>                           <span class="code-comment">// Correctly outputs *****



            def localEnv = env.getEnvironment()

echo localEnv.expand('${ENC_KEY} $ENC_KEY')   // Incorrectly output literal ${ENC_KEY} $ENC_KEY

        }

} catch (e) {

echo "ERROR: $e"

}


env.ENC_KEY = env.ENC_KEY                             <span class="code-comment">// Workaround <span class="code-keyword">for</span> some cases



    echo env.dump()                                       // ENC_KEY is now present

    try {

httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY

    } catch (e) {

echo "ERROR: $e"

}


<span class="code-keyword">try</span> {
    node(<span class="code-quote">'master'</span>) {
        sh  <span class="code-quote">'echo $ENC_KEY'</span>                           <span class="code-comment">// Correctly outputs *****



            def localEnv = env.getEnvironment()

echo localEnv.expand('${ENC_KEY} $ENC_KEY')   // Correctly outputs ***** *****

        }

} catch (e) {

echo "ERROR: $e"

}

}




 


 


 

Metadata

Metadata

Assignees

No one assigned

    Labels

    component:workflow-basic-steps-pluginimported-jira-issuepriority:majorresolution:unresolved

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions