[JENKINS-72036] usernameColonPassword does not properly masked credentials #511
Description
Using withCredentials with usernameColonPassword only masks credentials with the USERNAME:PASSWORD format, but when they're used, applications can print them in different format (only the password or only the username).
Reproduction Steps
In this example I'm leaking the username, as I'm not aware of applications which could leak password.
Create a Username with password credentialsId with basic-cred as ID
Check "Treat username as secret"
Create a pipeline with the following script:
pipeline {
agent any
stages {
stage('HTTP Request') {
steps {
withCredentials([usernameColonPassword(credentialsId: 'basic-cred', variable: 'BASIC_AUTH')]) {
sh '''
curl -v https://$BASIC_AUTH@google.com
'''
}
}
}
}
}
Built it and go to the build log
Originally reported by 
kevingrdj, imported from: usernameColonPassword does not properly masked credentials
- status: Open
- priority: Minor
- component(s): credentials-binding-plugin
- resolution: Unresolved
- votes: 0
- watchers: 1
- imported: 20251211-141027
Raw content of original issue
Using withCredentials with usernameColonPassword only masks credentials with the USERNAME:PASSWORD format, but when they're used, applications can print them in different format (only the password or only the username).
Reproduction Steps
In this example I'm leaking the username, as I'm not aware of applications which could leak password.
Create a Username with password credentialsId with basic-cred as ID Check "Treat username as secret"
Create a pipeline with the following script:
pipeline { agent any stages { stage('HTTP Request') { steps { withCredentials([usernameColonPassword(credentialsId: 'basic-cred', variable: 'BASIC_AUTH')]) { sh ''' curl -v https://$BASIC_AUTH@google.com ''' } } } } }Built it and go to the build log
