[JENKINS-72184] withEnv and withCredentials don't set environment fully #530
Description
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present }
The impact of this is that withCredentials blocks don't behave as expected with calls like httpRequest as the variables can't be passed in single quoted, which is a security risk.
For example this does not expand $ENV_KEY in the httpRequest case but does when sh is used
withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Incorrectly output literal ${ENC_KEY} $ENC_KEY } } catch (e) { echo "ERROR: $e" } env.ENC_KEY = env.ENC_KEY // Workaround for some cases echo env.dump() // ENC_KEY is now present try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" } try { node('master') { sh 'echo $ENC_KEY' // Correctly outputs ***** def localEnv = env.getEnvironment() echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Correctly outputs ***** ***** } } catch (e) { echo "ERROR: $e" } }
Originally reported by steveh, imported from: withEnv and withCredentials don't set environment fully
- status: Open
- priority: Major
- component(s): workflow-basic-steps-plugin
- resolution: Unresolved
- votes: 0
- watchers: 1
- imported: 20251215-220547
Raw content of original issue
Using withEnv or withCredentials fails to correctly setup the environment meaning replacements don't happen.
withEnv(['TESTVAR=TESTVAL']) { echo env.dump() // TESTVAR is not present echo env.getEnvironment().dump() // TESTVAR is not present echo env.TESTVAR // outputs TESTVAL env.TESTVAR = env.TESTVAR // Should have no effect echo env.dump() // TESTVAR is now present echo env.getEnvironment().dump() // TESTVAR is now present }The impact of this is that withCredentials blocks don't behave as expected with calls like httpRequest as the variables can't be passed in single quoted, which is a security risk.
For example this does not expand $ENV_KEY in the httpRequest case but does when sh is used
withCredentials([string(credentialsId: 'PasswordEncryptionKey', variable: 'ENC_KEY')]) { try { httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Uses liternal $ENV_KEY } catch (e) { echo "ERROR: $e" }<span class="code-keyword">try</span> { node(<span class="code-quote">'master'</span>) { sh <span class="code-quote">'echo $ENC_KEY'</span> <span class="code-comment">// Correctly outputs *****def localEnv = env.getEnvironment()
echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Incorrectly output literal ${ENC_KEY} $ENC_KEY
}
} catch (e) {
echo "ERROR: $e"
}env.ENC_KEY = env.ENC_KEY <span class="code-comment">// Workaround <span class="code-keyword">for</span> some casesecho env.dump() // ENC_KEY is now present
try {
httpRequest url: 'http://127.0.0.1:1000/$ENC_KEY' // Still uses liternal $ENV_KEY
} catch (e) {
echo "ERROR: $e"
}<span class="code-keyword">try</span> { node(<span class="code-quote">'master'</span>) { sh <span class="code-quote">'echo $ENC_KEY'</span> <span class="code-comment">// Correctly outputs *****def localEnv = env.getEnvironment()
echo localEnv.expand('${ENC_KEY} $ENC_KEY') // Correctly outputs ***** *****
}
} catch (e) {
echo "ERROR: $e"
}
}