Bamboo build variable passwords visible
Issue #5
resolved
Hello,
We are seeing Bamboo build plan passwords are visible from the browser in clear text format as shown in the screen shot. But in the logs it is showing like ****** but when we check in the browser "inspect" tool we can able to see the password in text format.
Steps to reproduce
- Go to any plan in Bamboo
- Click on "Run Customized" tab, we can see all the plan variables along with passwords
- Select password value & right-click on that.
- Click on "inspect" & check in the elements.
- Password visible in clear text format but not in logs.
Then we noticed that We noticed that the tab "Run Customised" comes from the following plugin "Custom Deployments for Bamboo". Please check with development team how to hide those passwords.
Thanks & Regards
Revathi
Comments (8)
-
repo owner
-
repo owner
Hi,
For now, i would advise to use global settings and do not allow passwords to be customized.
Julius
-
repo owner
- changed status to resolved
Hi,
I have published a new version removing the initial values for variables containing the word password in the name.
Julius
-
reporter
- changed status to open
Hello, Thanks for the quick update.
We have updated plugin to latest version, But we have observed 2 things after upgrading on QA environment.
- If we have 4 parameters like username & password, after upgradation we can see only 2 parameters, we lost another 2 parameters.
- Regarding password, it's not visible, but is it hiding or removing ?
Please confirm these things so that we will update it on Production, why because it is reflecting to all plans & if we revert back to older version we are not able to recover parameters which we have lost.
Thanks & Regards Revathi
-
repo owner
Hi,
Can you provide more exact Parameter names and the filter from global settings that is responsible for hiding variables?
Julius
-
reporter
Hello @Hutuleac Iulius
Thanks for the update,
Yes, we got it, this password also hiding, but when we tested we lost 2 variables, so we are checking with the user on this.
Will get back to you soon.
Thanks & Regards
Revathi
-
repo owner
Hi,
to be specific, I added a condition and if variables contain the word “password” in the name I avoid setting the initial variable so it will be blank and if you set it it will override the original value. If you dont set it then plugin should avoid setting the value and original value should remain in place.
Julius
-
repo owner
- changed status to resolved
- Log in to comment
Hi,
Can you provide the versions in use ?
Kind regards,
Julius