Add trim helper to remove trailing newlines from secrets (#2810)

somiljain2006 · web-flow · commit c08919f7fc37 · 2026-03-30T13:06:36.000+01:00
diff --git a/docs/features/secrets.adoc b/docs/features/secrets.adoc
@@ -57,6 +57,7 @@ If you need to read a secret from a file, or perform additional en/decoding of t
 - `decodeBase64`
 - `readFileBase64`
 - `json`
+- `trim`
 
 Helpers can be combined to do multiple transformations. Examples:
 
@@ -139,6 +140,16 @@ Example:
 ${json:username:${ENV_VAR}}
 ```
 
+==== trim
+
+Removes trailing whitespace characters (including newlines, spaces, and tabs) from the provided secret. Leading whitespace is preserved.
+
+Example:
+
+```
+${trim:${readFile:/secret/passphrase.txt}}
+```
+
 === Security and compatibility considerations
 
 // TODO(oleg_nenashev): Add a link to the advisory once ready
diff --git a/plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java b/plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java
@@ -18,7 +18,6 @@
 import java.util.stream.Stream;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringSubstitutor;
-import org.apache.commons.text.TextStringBuilder;
 import org.apache.commons.text.lookup.StringLookup;
 import org.json.JSONObject;
 import org.kohsuke.accmod.Restricted;
@@ -40,7 +39,7 @@ public class SecretSourceResolver {
 
     public SecretSourceResolver(ConfigurationContext configurationContext) {
         // TODO update to use Map.of in JDK11+
-        Map<String, org.apache.commons.text.lookup.StringLookup> map = new HashMap<>(8);
+        Map<String, org.apache.commons.text.lookup.StringLookup> map = new HashMap<>(16);
         map.put("base64", Base64Lookup.INSTANCE);
         map.put("fileBase64", FileBase64Lookup.INSTANCE);
         map.put("readFileBase64", FileBase64Lookup.INSTANCE);
@@ -49,6 +48,7 @@ public SecretSourceResolver(ConfigurationContext configurationContext) {
         map.put("sysProp", SystemPropertyLookup.INSTANCE);
         map.put("decodeBase64", DecodeBase64Lookup.INSTANCE);
         map.put("json", JsonLookup.INSTANCE);
+        map.put("trim", TrimLookup.INSTANCE);
         map = Collections.unmodifiableMap(map);
 
         substitutor = new StringSubstitutor(new FixedInterpolatorStringLookup(
@@ -106,10 +106,9 @@ public String resolve(String toInterpolate) {
         if (StringUtils.isBlank(toInterpolate) || !toInterpolate.contains(enclosedBy)) {
             return toInterpolate;
         }
-        final TextStringBuilder buf = new TextStringBuilder(toInterpolate);
-        substitutor.replaceIn(buf);
-        nullSubstitutor.replaceIn(buf);
-        return buf.toString();
+        String result = substitutor.replace(toInterpolate);
+        result = nullSubstitutor.replace(result);
+        return result;
     }
 
     static class UnresolvedLookup implements StringLookup {
@@ -250,4 +249,16 @@ public String lookup(@NonNull final String key) {
             return output;
         }
     }
+
+    static class TrimLookup implements StringLookup {
+
+        static final TrimLookup INSTANCE = new TrimLookup();
+
+        private TrimLookup() {}
+
+        @Override
+        public String lookup(@NonNull final String key) {
+            return StringUtils.stripEnd(key, null);
+        }
+    }
 }
diff --git a/plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceResolverTest.java b/plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceResolverTest.java
@@ -443,4 +443,82 @@ private static void assertVarEncoding(String expected, String toEncode) {
         String encoded = context.getSecretSourceResolver().encode(toEncode);
         assertThat(encoded, equalTo(expected));
     }
+
+    @Test
+    public void trimLookup_removesTrailingWhitespace() {
+        assertThat(SecretSourceResolver.TrimLookup.INSTANCE.lookup("value\n"), equalTo("value"));
+        assertThat(SecretSourceResolver.TrimLookup.INSTANCE.lookup("value\r\n"), equalTo("value"));
+        assertThat(SecretSourceResolver.TrimLookup.INSTANCE.lookup("  value  \n"), equalTo("  value"));
+    }
+
+    @Test
+    public void resolve_trimRemovesTrailingNewlines() {
+        environment.set("FOO", "my_secret_pass\n");
+        assertThat(resolve("${trim:${FOO}}"), equalTo("my_secret_pass"));
+
+        environment.set("BAR", "my_secret_pass\r\n");
+        assertThat(resolve("${trim:${BAR}}"), equalTo("my_secret_pass"));
+
+        environment.set("BAZ", "my_secret_pass\n\n\n");
+        assertThat(resolve("${trim:${BAZ}}"), equalTo("my_secret_pass"));
+    }
+
+    @Test
+    public void resolve_trimNoNewline_noChange() {
+        environment.set("FOO", "my_secret_pass");
+        assertThat(resolve("${trim:${FOO}}"), equalTo("my_secret_pass"));
+    }
+
+    @Test
+    public void resolve_trimRemovesTrailingSpacesButPreservesLeading() {
+        environment.set("FOO", "  my_secret_pass  \n");
+        assertThat(resolve("${trim:${FOO}}"), equalTo("  my_secret_pass"));
+
+        environment.set("BAR", "\tmy_secret_pass\t\r\n");
+        assertThat(resolve("${trim:${BAR}}"), equalTo("\tmy_secret_pass"));
+    }
+
+    @Test
+    public void resolve_trimNestedReadFile() throws Exception {
+        Path tempSecretFile = Files.createTempFile("casc-secret", ".txt");
+        tempSecretFile.toFile().deleteOnExit();
+
+        Files.writeString(tempSecretFile, "super_secret_ssh_key\n");
+        String inputPath = tempSecretFile.toAbsolutePath().toString();
+
+        String rawOutput = resolve("${readFile:" + inputPath + "}");
+        assertTrue("Raw output should contain the problematic trailing newline", rawOutput.endsWith("\n"));
+        assertThat(rawOutput, equalTo("super_secret_ssh_key\n"));
+
+        String trimmedOutput = resolve("${trim:${readFile:" + inputPath + "}}");
+        assertThat(trimmedOutput, equalTo("super_secret_ssh_key"));
+    }
+
+    @Test
+    public void resolve_readFilePreservesTrailingNewline() throws Exception {
+        Path tempFile = Files.createTempFile("casc-secret-baseline", ".txt");
+        tempFile.toFile().deleteOnExit();
+
+        Files.writeString(tempFile, "secret\n");
+
+        String output = resolve("${readFile:" + tempFile.toAbsolutePath() + "}");
+        assertThat(output, equalTo("secret\n"));
+    }
+
+    @Test
+    public void resolve_trimEmptyString() {
+        assertThat(resolve("${trim:}"), equalTo(""));
+    }
+
+    @Test
+    public void resolve_trimOnlyNewlines() {
+        environment.set("FOO", "\n\n");
+        assertThat(resolve("${trim:${FOO}}"), equalTo(""));
+    }
+
+    @Test
+    public void resolve_trimWithSpacesOnly_becomesEmpty() {
+        environment.set("FOO", "   ");
+        assertThat(resolve("${trim:${FOO}}"), equalTo(""));
+    }
 }
