http-request-plugin icon indicating copy to clipboard operation
http-request-plugin copied to clipboard
verified publisher icon jenkinsci

honor maskValue flag for Authorization header

Open njZhuMin opened this issue 5 years ago • 1 comments

Hi @oleg-nenashev ,

I was trying to debug a request in Jenkins, set maskValue: false for Authorization header and found it didn't honor this flag. I understand this change was by https://github.com/jenkinsci/http-request-plugin/pull/22 and for case some security concerns (https://issues.jenkins.io/browse/JENKINS-39744).

I would like to propose an enhancement here which both respects maskValueflag and also masks Authorization header by default.

So I set default maskValue = true in HttpRequestNameValuePair.java constructor. In this case, when user passes maskValue: false in Authorization header, it can be honored correctly.

Please correct me if I missed something or you have further security concerns about this change.

Thanks for your great job done here!

Best regards, Kevin

njZhuMin avatar Jan 08 '21 04:01 njZhuMin

Sorry, I missed the GitHub update. Was mostly off in Jan-Feb due to health issues. Added to my review queue

oleg-nenashev avatar Apr 23 '21 19:04 oleg-nenashev