Details
-
Bug
-
Resolution: Fixed
-
Low
Description
It appears that if text output in the pipeline logs match the value of a variable, that variable name is shown in the Logs instead of the text.
This could potentially lead to the discovery of environment variable values through the log.
My repeatable steps:
Deployment Environment Variable: SOME_VAR with a value of 1
image: atlassian/pipelines-awscli
services: - docker
Example Output Logs:
Unable to find source-code formatter for language: shell. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
Step $SOME_VAR/$SOME_VAR2 : From node:$SOME_VAR2.4.0 $SOME_VAR2.4.0: Pulling from library/node ...
Expected:
Unable to find source-code formatter for language: shell. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
Step 1/12 : From node:12.4.0 12.4.0: Pulling from library/node ...
So everywhere in the logs where the number 1 should have been shown, it was being replaced with the environment variable $SOME_VAR since it also had the value of 1