Pipeline using curl and issues with interploation of credentials

Using Jenkins
1

Hi,

i want to use curl for uploading a file to a Nexus repository.

this works fine

node('somenode') {
  writeFile file: 'foo.txt', text: 'foo'
  withCredentials([usernamePassword(credentialsId: 'somecreds', passwordVariable: 'pw', 
  usernameVariable: 'user')]) {
    sh "curl -v -u $user:$pw --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt")
  }
}

but as expected yields

Warning: A secret was passed to “sh” using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [pw, user]

So it tried multiple things like

sh ‘curl -v -u $user:$pw --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt

sh ‘curl -v -u {user}:{pw} --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt

sh “curl -v -u \$user:\$pw --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt

sh “curl -v -u \${user}:\${pw} --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt

but it’s always HTTP/1.1 401 Unauthorized

What’s the right syntax ?

Gilbert

2

OK, after trying a bunch of different things like slashy strings … etc. i found a working solution
using string concatenation

sh ‘curl -v -u ’ + user + ‘:’ + pw + ’ --upload-file foo.txt https://nexushost/repository/somerepo/foo.txt

3

so double quotes (" or """) is processed by pipeline/groovy
single quotes, are passed on directly

your shell will then process the string provided to sh

So the dangerous thing is if user or pw contains $, it’ll get double evaluated

There’s really no reason your single quote ones shouldn’t work, bash should evaluate those variables just fine.

For your solution, you may want to wrap it in quotes so bash won’t evaluate it again

sh 'curl -v -u "' + user + ':' + pw + '" --upload-file foo.txt'

though

sh 'curl -v -u "${user}:${pw}" --upload-file foo.txt'

should work the same way

4

Thanks, i will try your first snippet.
I was happy to find a working solution that doesn’t result in

Warning: A secret was passed to “sh” using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [pw, user]

This means my solution should already be safe to use ?

After reading all the docs and further research, your second proposal was in fact one of my first
attempts, but it didn’t work.

5

the warning is just telling you that groovy is interpolating it, before passing it to shell, which means your shell will get the processed value. For shell that just means if you look as ps, you’ll see the password in the string. Your solution does that, but doesn’t warn. Its up to you if you care.

Like I said, my solution should work, I just can’t imagine why it wouldn’t work, unless your password gets pre-escaped or something. My solution should pass the username and password verbatium.