[SECURITY-3079]

(cherry picked from commit ac7bfe4c82fa10529106582fb6ba1e97046db233)

Author: amuniz

src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java

@@ -42,6 +42,8 @@
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
+
 import org.csanchez.jenkins.plugins.kubernetes.KubernetesComputer;
 import org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave;
 import org.csanchez.jenkins.plugins.kubernetes.PodTemplate;
@@ -61,14 +63,19 @@ public final class SecretsMasker extends TaskListenerDecorator {
 
     private final Set<String> values;
 
+    private final Pattern pattern;
+
     private SecretsMasker(Set<String> values) {
         assert !values.isEmpty();
         this.values = values;
+        // stored at creation time so SecretPatternFactory extensions are properly loaded
+        // when/if this decorator runs at agent side (see DurableTaskStep.USE_WATCHING)
+        this.pattern = SecretPatterns.getAggregateSecretPattern(values);
     }
 
     @Override
     public OutputStream decorate(OutputStream logger) throws IOException, InterruptedException {
-        return new SecretPatterns.MaskingOutputStream(logger, () -> SecretPatterns.getAggregateSecretPattern(values), "UTF-8");
+        return new SecretPatterns.MaskingOutputStream(logger, () -> pattern, "UTF-8");
     }
 
     @Extension

src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java

@@ -74,6 +74,7 @@
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
+import org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep;
 import org.jenkinsci.plugins.workflow.test.steps.SemaphoreStep;
 import org.junit.After;
 import org.junit.Before;
@@ -247,7 +248,7 @@ public void runIn2Pods() throws Exception {
                 deletePods(cloud.connect(), getLabels(cloud, this, name), true));
     }
 
-    @Issue("JENKINS-57893")
+    @Issue({"JENKINS-57893", "SECURITY-3079"})
     @Test
     public void runInPodFromYaml() throws Exception {
         List<PodTemplate> templates = cloud.getTemplates();
@@ -265,6 +266,14 @@ public void runInPodFromYaml() throws Exception {
         r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = **** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b);
         assertFalse("There are pods leftover after test execution, see previous logs",
                 deletePods(cloud.connect(), getLabels(cloud, this, name), true));
+
+        // SECURITY-3079
+        DurableTaskStep.USE_WATCHING = true;
+        WorkflowRun build = p.scheduleBuild2(0).waitForStart();
+        r.assertBuildStatusSuccess(r.waitForCompletion(build));
+        r.assertLogNotContains(CONTAINER_ENV_VAR_FROM_SECRET_VALUE, build);
+        r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = **** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", build);
+        DurableTaskStep.USE_WATCHING = false;
     }
 
     @Test