[SECURITY] Katalon Jenkins Plugins Records the GitHub Username and Password in the Build Job Console Log

jason.tolotta · May 18, 2023, 2:47am

After a Build Job has started successfully using the Katalon Jenkins Plugin to access a Scheduled Run on TestCloud, the GitHub Username and Password is recorded in the Console Log multiple times.

This is a massive security hole, as this allows anyone with the credentials to clone projects from private repositories.

Obfuscated Excerpt:

{"id":999999,"testProjectId":999999,"repository":"https://github.com/company-connect/test-project.git","branch":"refs/heads/develop","username":"USERNAME_SHOULD_NOT_BE_DISPLAYED","password":"PASSWORD_SHOULD_NOT_BE_DISPLAYED","createdAt":"2023-05-08T02:37:19.906+0000","vcsType":"GITHUB","shouldMergeTestResultsForNewScriptRepo":false},"organizationId":999999},"triggerBy":"MANUAL","triggerAt":"2023-05-17T14:05:41.177+0000","user":{"id":9999999,"email":"developers@company.com","firstName":"company","lastName":"devops","avatar":"https://katalon-test.s3.amazonaws.com/99999999999","systemRole":"USER","surveyStatus":"SUBMITTED","businessUser":true,"canCreateOfflineKSE":false,"canCreateOfflineRE":false,"samlSSO":false,"createdAt":"2023-04-11T23:57:58.598+0000","fullName":"company devops"},"project":{"id":999999,"name":"Test Project","teamId":9999999,"status":"ACTIVE","canAutoIntegrate":false},"runConfigurationId":999999}

Operating System

Not Applicable

Katalon Studio version

version 8.6.0

Log Folder:

Not Applicable

Environment (for Web Testing)

Katalon Jenkins Plugin > Freestyle Project > Build Job > Console Log
Katalon TestCloud

Environment (for Mobile Testing)

Not Applicable

Steps to reproduce

Ensure that the TestCloud project is connected to a GitHub repository with a valid Katalon Project
Create a Scheduled Run on TestCloud
Create a Freestyle Jenkins Project using the Katalon Jenkins Plugin
Enter the TestCloud project details and select the Test Suite to execute
Run the Build Job
Observe the GitHub username and password recorded in the console log

Expected Behavior
The Username and Password should not appear in the console log or obfuscated

Actual Behavior
The Username and Password appears in the console log

ha.tpham · May 23, 2023, 10:04am

@jason.tolotta Thank you for your information. It’s really an important issue that we are working on and plan to release in June.

Topic		Replies	Views
Scheduled test runs fail due to Private Profiles with username and password Katalon TestOps katalon-testops	5	226	February 19, 2024
Jenkins Plugin & TestOps Katalon TestOps katalon-testops	6	871	February 5, 2020
Katalon TestOps: Unexpected response, URL: https://testops.katalon.io/api/v1/katalon/test-reports/update-result?projectId=XXX, Status: 403, Response: {"error":"access_denied Bugs Report katalon-testops	1	1009	April 15, 2022
Passing capacities to katalon when running in console mode Archive integrations , katalon-studio , jenkins	1	828	November 18, 2018
Authentication method - Bug (log and report) Archive katalon-studio , bugs-report	5	859	November 27, 2021