--info prints username and password to the build log

Help/Discuss
1

In a build.gradle file I have:

apply plugin: "org.unbroken-dome.helm"

helm {	
  repositories {
    myrepo {      
      url 'https://internal/artifactory/repos'
        credentials {
            username = systemUsername
            password = systemPassword
        }
    }
  }
  
  publishing {
      repositories {
          artifactory {
              url = uri('https://internal/artifactory/repos')
              credentials {
                username = systemUsername
                password = systemPassword
              }
          }
      }
  }
  ...
}

where systemUsername and systemPassword are specified in ~/.gradle/gradle.properties

But when I run my build with:

./gradlew --info --no-daemon clean build

Executing: [/home/builder/samples/.gradle/helm/client/3.7.1/linux-amd64/helm, repo, add, --username, build_acct, --password, ******, myrepo, https://internal/artifactory/repos]

Starting process 'command '/home/builder/samples/.gradle/helm/client/3.7.1/linux-amd64/helm''. Working directory: /home/builder/samples Command: /home/builder/samples/.gradle/helm/client/3.7.1/linux-amd64/helm repo add --username build_acct --password clear-text-password myrepo https://internal/artifactory/repos

the password is printed to the log in clear text but only for the second line/Starting process. If I remove the --info flag its no longer printed but then I lose all the other information.

Is it intentional that --info will also print password values?

And is there something I can do to always make sure password values are hidden from the build log?

2

No, but plugin author of this helm plugin has implemented passing the password in an insecure way. The info logs from Gradle exec will provide details about what arguments were specified and the password is being passed as a command line argument.

Generally, tools (like helm) provide a secure way such as --password-stdin or the environment to specify the password in a way that avoids typical logging. However, there is also a convenience argument like --password that can be used, but with the caveat that it is insecure. This plugin is using the latter to pass the password as a command line argument, so due to this implementation detail, it would be expected that the password could be observed, even when not using --info.