[SECURITY] Katalon Jenkins Plugins Records the GitHub Username and Password in the Build Job Console Log

After a Build Job has started successfully using the Katalon Jenkins Plugin to access a Scheduled Run on TestCloud, the GitHub Username and Password is recorded in the Console Log multiple times.

This is a massive security hole, as this allows anyone with the credentials to clone projects from private repositories.

Obfuscated Excerpt:

{"id":999999,"testProjectId":999999,"repository":"https://github.com/company-connect/test-project.git","branch":"refs/heads/develop","username":"USERNAME_SHOULD_NOT_BE_DISPLAYED","password":"PASSWORD_SHOULD_NOT_BE_DISPLAYED","createdAt":"2023-05-08T02:37:19.906+0000","vcsType":"GITHUB","shouldMergeTestResultsForNewScriptRepo":false},"organizationId":999999},"triggerBy":"MANUAL","triggerAt":"2023-05-17T14:05:41.177+0000","user":{"id":9999999,"email":"developers@company.com","firstName":"company","lastName":"devops","avatar":"https://katalon-test.s3.amazonaws.com/99999999999","systemRole":"USER","surveyStatus":"SUBMITTED","businessUser":true,"canCreateOfflineKSE":false,"canCreateOfflineRE":false,"samlSSO":false,"createdAt":"2023-04-11T23:57:58.598+0000","fullName":"company devops"},"project":{"id":999999,"name":"Test Project","teamId":9999999,"status":"ACTIVE","canAutoIntegrate":false},"runConfigurationId":999999}

Operating System

Not Applicable

Katalon Studio version

version 8.6.0

Log Folder:

Not Applicable

Environment (for Web Testing)

  • Katalon Jenkins Plugin > Freestyle Project > Build Job > Console Log
  • Katalon TestCloud

Environment (for Mobile Testing)

  • Not Applicable

Steps to reproduce

  • Ensure that the TestCloud project is connected to a GitHub repository with a valid Katalon Project
  • Create a Scheduled Run on TestCloud
  • Create a Freestyle Jenkins Project using the Katalon Jenkins Plugin
  • Enter the TestCloud project details and select the Test Suite to execute
  • Run the Build Job
  • Observe the GitHub username and password recorded in the console log

Expected Behavior
The Username and Password should not appear in the console log or obfuscated

Actual Behavior
The Username and Password appears in the console log

@jason.tolotta Thank you for your information. It’s really an important issue that we are working on and plan to release in June.

1 Like