SECURITY ISSUE: JENKINS_HOME.gitignore must ignore credentials.xml

[cowlinator]

JENKINS_HOME.gitignore must ignore credentials.xml, as that file may contain encrypted secrets.

Also, job config should be included.

Reasons for making this change:

I am a Jenkins user. I decided to use this JENKINS_HOME.gitignore as I version controlled my jenkins configuration.

1. Then I discovered that credentials.xml, which contains encrypted passwords, private ssh keys, and other secrets. In general, it is bad practice and a security issue to include any secrets or credentials-- encrypted or not-- in git repositories. (And in this case, they can be decrypted very easily).
2. I also discovered that the job configurations were being ignored. Job config.xml files are important, sometimes containing a lot of intricate configuration, and in fact sometimes contain <script>{code}</script> which literally contains code. Code should be included in version control.

Links to documentation supporting these rule changes:

1. Not documented. Just enter any credential into a jenkins instance, and look at the credentials.xml file. You will see your encrypted credential. The need for this change is self-evident.
2. https://wiki.jenkins-ci.org/display/JENKINS/Administering+Jenkins

[cowlinator]

@samrocketman , as original submitter of the JENKINS_HOME.gitignore, could you comment on this PR?

[samrocketman]

Hi there, thanks for raising via mention.

About credentials

credentials.xml being tracked is intentional in the backup and not a security issue. The credentials are encrypted with AES-128-CBC and are encrypted at rest like other configurations with sensitive information. I’ve directly reviewed this portion of Jenkins source code and reported security issues on it in the past when it was formerly using AES-128-ECB. Jenkins credentials are secure.

Jenkins uses the secret.key paired with root config.xml to decrypt secrets. I intentionally included it because a Jenkins configuration without credentials.xml is arguably a useless backup since you wouldn’t be able to restore Jenkins home from a backup.

To protect your configuration, be sure to backup separately (and store separately) files $JENKINS_HOME/secret* which would include secret.key. I suggest GPG encrypted with multiple team mates.

Other files containing ciphertext

Worth noting that Jenkins folders config.xml also include encrypted credentials just like credentials.xml. Some plugins store sensitive information encrypted in job configuration.

Intent of this gitignore

The purpose of this config is to provide Jenkins admins with a means to diff config during upgrades and restore removed config from mistakes or bugs. It’s not meant for publishing as a code repository. But even if you published by mistake, as long as you follow the original template the credentials are ciphertext.

In code comments, secrets refer to keys used for decrypting ciphertext and not files which contain credentials ciphertext.

Job config already accounted for

Jenkins job config is included via:

Recurse into jobs folder and exclude all files but do not exclude folders:

gitignore/JENKINS_HOME.gitignore

Lines 20 to 23 in ceea7ca

	# Ignore all files in jobs subdirectories except for folders.
	# Note: git doesn't track folders, only file content.
	jobs/**
	!jobs/**/

Paired with this line: “include config.xml in all folders which include jobs folders”

gitignore/JENKINS_HOME.gitignore

Lines 35 to 36 in ceea7ca

	# Exclude only config.xml files in repository subdirectories.
	!config.xml

[cowlinator]

Thank you for taking a look and for the explanation.

[samrocketman]

No worries, it doesn’t hurt to review and second guess. Good looking out.