Jenkins Mask Password exposes the secret text when call from return keyword

Question

I used jenkins Mask Password to mask the secret text and works good. BUT when trying to call this secret text from seperate method using return then it exposes the text.

  properties([
        parameters([
                 password(name: 'Passwd', description: 'Encryption key')
                ])  
    ])  

// function of mask text ---
    def getAppPassword(){
      wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'SECRET', password: Passwd]], varMaskRegexes: []]) {
                            echo  "${Passwd}" // here text get mask 
                            return "${Passwd}"   // 
                        }                
    }


// declarative pipeline --
pipeline {
    agent any
// setting up as environment varible to access it throught out the file.
       environment {
               ExecutorPassword = getAppPassword()
            }

    stages {
        stage('Hello') {
            steps {
                bat "--${ExecutorPassword} " 
                  if ("${ExecutorPassword}" == "12324") {echo "Equal!"}
                  else{ echo "Mark"  };  
            }
        }
    }
}

From last three days I stuck here. Please help.

In getAppPassword() function echo "${Passwd}" returns a secret text as masked like ***. But when I called the function getAppPassword() in pipeline under step bat "--${ExecutorPassword} ". it expose the secret text in console.

Tried with single quote and double quote both.

1. When used double quote " it expose the secret text. when used

2. When used single quote ' it returns ${ExecutorPassword} varible as it is.

Answer 1

Instead of passing the password in parameter you can use two different methods.

1. Use Jenkins credentials vault as it will automatically encrypt your password with AES encryption.

2. Use input function to get the password in between of running build and putting the variable which store the password in limited scope will help you secure and you can also do masking on it and then destroy the variable or make it null as soon as your works done. Here is a small example. ` if(authType != 'W'){

     def userName = input(
                     id: 'userName', message: 'SQL Username', parameters: [
                       [$class: 'hudson.model.TextParameterDefinition', defaultValue :'', name: 'Username',  description: 'Please enter your username']
                     ])
   
    def userPassword = input(
                     id: 'userPassword', message: 'SQL Password', parameters: [
                       [$class: 'hudson.model.PasswordParameterDefinition', defaultValue :'', name: 'Passwrd',  description: 'Please enter your password']
                     ])
                     wrap([$class: 'MaskPasswordsBuildWrapper',  varPasswordPairs: [[password: "${userPassword}", var: 'Passwrd']]]) {
   
                    //your command to use credentials here
   
     println(userPassword) //password will appear encrypted like *******}
   
     userPassword = '' // you can close if statement and limit scope of variable to here or you can just empty the variable if you can't close the scope.}
      `