[JENKINS-75184] CredentialsMatcher fail with ECR Security Token (#977)

nfalco79 · web-flow · commit dfbc8778cf11 · 2025-01-25T00:06:25.000+01:00
Add a try catch block in CredentialsMatcher implementation when invoke UsernamePasswordCredentials#getPassword method to handle those implementations that perform some operations, like an HTTP call, for which throw an exception.
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketOAuthCredentialMatcher.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketOAuthCredentialMatcher.java
@@ -27,6 +27,7 @@
 import com.cloudbees.plugins.credentials.Credentials;
 import com.cloudbees.plugins.credentials.CredentialsMatcher;
 import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import hudson.util.Secret;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -56,15 +57,19 @@ public boolean matches(Credentials item) {
             return false;
         }
 
-        if (item.getClass().getName().equals("com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential")) {
-            return false;
-        }
-
         try {
             UsernamePasswordCredentials usernamePasswordCredential = ((UsernamePasswordCredentials) item);
             String username = usernamePasswordCredential.getUsername();
+            String password;
+            try {
+                password = Secret.toString(usernamePasswordCredential.getPassword());
+            } catch (Exception e) {
+                // JENKINS-75184
+                return false;
+            }
+
             boolean isEMail = username.contains(".") && username.contains("@");
-            boolean validSecretLength = usernamePasswordCredential.getPassword().getPlainText().length() == CLIENT_SECRET_LENGTH;
+            boolean validSecretLength = password.length() == CLIENT_SECRET_LENGTH;
             boolean validKeyLength = username.length() == CLIENT_KEY_LENGTH;
 
             return !isEMail && validKeyLength && validSecretLength;
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketUsernamePasswordCredentialMatcher.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketUsernamePasswordCredentialMatcher.java
@@ -51,7 +51,13 @@ public boolean matches(Credentials item) {
 
         UsernamePasswordCredentials usernamePasswordCredential = ((UsernamePasswordCredentials) item);
         String username = usernamePasswordCredential.getUsername();
-        String password = Secret.toString(usernamePasswordCredential.getPassword());
+        String password;
+        try {
+            password = Secret.toString(usernamePasswordCredential.getPassword());
+        } catch (Exception e) {
+            // JENKINS-75184
+            return false;
+        }
         return StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,13 @@ public boolean matches(Credentials item) {`
`51`	`51`
`52`	`52`	`UsernamePasswordCredentials usernamePasswordCredential = ((UsernamePasswordCredentials) item);`
`53`	`53`	`String username = usernamePasswordCredential.getUsername();`
`54`		`- String password = Secret.toString(usernamePasswordCredential.getPassword());`
	`54`	`+ String password;`
	`55`	`+ try {`
	`56`	`+ password = Secret.toString(usernamePasswordCredential.getPassword());`
	`57`	`+ } catch (Exception e) {`
	`58`	`+ // JENKINS-75184`
	`59`	`+ return false;`
	`60`	`+ }`
`55`	`61`	`return StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password);`
`56`	`62`	`}`
`57`	`63`	`}`