After a Build Job has started successfully using the Katalon Jenkins Plugin to access a Scheduled Run on TestCloud, the GitHub Username and Password is recorded in the Console Log multiple times.
This is a massive security hole, as this allows anyone with the credentials to clone projects from private repositories.
Obfuscated Excerpt:
{"id":999999,"testProjectId":999999,"repository":"https://github.com/company-connect/test-project.git","branch":"refs/heads/develop","username":"USERNAME_SHOULD_NOT_BE_DISPLAYED","password":"PASSWORD_SHOULD_NOT_BE_DISPLAYED","createdAt":"2023-05-08T02:37:19.906+0000","vcsType":"GITHUB","shouldMergeTestResultsForNewScriptRepo":false},"organizationId":999999},"triggerBy":"MANUAL","triggerAt":"2023-05-17T14:05:41.177+0000","user":{"id":9999999,"email":"developers@company.com","firstName":"company","lastName":"devops","avatar":"https://katalon-test.s3.amazonaws.com/99999999999","systemRole":"USER","surveyStatus":"SUBMITTED","businessUser":true,"canCreateOfflineKSE":false,"canCreateOfflineRE":false,"samlSSO":false,"createdAt":"2023-04-11T23:57:58.598+0000","fullName":"company devops"},"project":{"id":999999,"name":"Test Project","teamId":9999999,"status":"ACTIVE","canAutoIntegrate":false},"runConfigurationId":999999}
Operating System
Not Applicable
Katalon Studio version
version 8.6.0
Log Folder:
Not Applicable
Environment (for Web Testing)
- Katalon Jenkins Plugin > Freestyle Project > Build Job > Console Log
- Katalon TestCloud
Environment (for Mobile Testing)
- Not Applicable
Steps to reproduce
- Ensure that the TestCloud project is connected to a GitHub repository with a valid Katalon Project
- Create a Scheduled Run on TestCloud
- Create a Freestyle Jenkins Project using the Katalon Jenkins Plugin
- Enter the TestCloud project details and select the Test Suite to execute
- Run the Build Job
- Observe the GitHub username and password recorded in the console log
Expected Behavior
The Username and Password should not appear in the console log or obfuscated
Actual Behavior
The Username and Password appears in the console log