0

Groovy's interpolation doc explains that why I am getting an insecure warning for my httpRequest. I used this:

withCredentials([usernamePassword(credentialsId: 'myKeys', usernameVariable: 'user', passwordVariable: 'password')]) {
        def response = httpRequest url: "https://someurl", 
        requestBody:"grant_type=password&username=${user}&password=${password}&client_id=id4&client_secret=secret4" 
                }

I think my attempted fix only applies to shell commands or something but as per the doc, I tried replacing the requestBody with:

requestBody:'grant_type=password&username=$user&password=$password&client_id=id4&client_secret=secret4'

...Which returns a 401 error, implying that the $user and $password were just interpreted as non variables. Not sure how I can securely use the withCredentials method without interpolation. Thank you for the help.

HC LW
  • 131
  • 11
  • 1
    Attempted fix indeed works for shell commands only. Try `requestBody: 'grant_type=password&username=' + user + '&password=' + password + '&client_id=id4&client_secret=secret4'`. – zett42 Nov 16 '21 at 16:03
  • hm...it runs but still returns a 401 error. In theory, your suggestion should work though? I don't know why it doesn't. @zett42 – HC LW Nov 16 '21 at 17:52
  • 1
    You may have to [encode the variables for URL](https://stackoverflow.com/q/10187344/7571258). – zett42 Nov 16 '21 at 17:58
  • The request is 'Content-Type: application/x-www-form-urlencoded'. After replacing user and password with...java.net.URLEncoder.encode(password, "UTF-8") and java.net.URLEncoder.encode(user, "UTF-8")...it returns 401 error. @zett42 – HC LW Nov 16 '21 at 18:24

0 Answers0