Logs showing variable names in place of text output

Issue #18879 closed
Michael Crowe created an issue

It appears that if text output in the pipeline logs match the value of a variable, that variable name is shown in the Logs instead of the text.

This could potentially lead to the discovery of environment variable values through the log.

My repeatable steps:

Deployment Environment Variable: SOME_VAR with a value of 1

image: atlassian/pipelines-awscli

services: - docker

Example Output Logs:

Step $SOME_VAR/$SOME_VAR2 : From node:$SOME_VAR2.4.0
$SOME_VAR2.4.0: Pulling from library/node
...

Expected:

Step 1/12 : From node:12.4.0
12.4.0: Pulling from library/node
...

So everywhere in the logs where the number 1 should have been shown, it was being replaced with the environment variable $SOME_VAR since it also had the value of 1

Comments (2)

  1. Michael Crowe reporter
    • edited description

    It appears that if text output in the pipeline logs match the value of a variable, that variable name is shown in the Logs instead of the text.

    This could potentially lead to the discovery of environment variable values through the log.

    My repeatable steps:

    Deployment Environment Variable: SOME_VAR with a value of 1

    image: atlassian/pipelines-awscli

    services: - docker

    Example Output Logs:

    Step $SOME_VAR/12 : From node:$SOME_VAR2.4.0
    $SOME_VAR2.4.0: Pulling from library/node
    ...
    

    Expected:

    Step 1/12 : From node:12.4.0
    12.4.0: Pulling from library/node
    ...
    

    So everywhere in the logs where the number 1 should have been shown, it was being replaced with the environment variable $SOME_VAR since it also had the value of 1

  2. aneita staff

    Thanks for raising this.

    This behaviour is actually by design - we mask every instance of the value of a secured environment variable with the name of the variable. Secured environment variables are typically used for things like passwords, which are more unique than values that appear in logs.

    If the variable doesn't need to be masked in the logs, then the variable doesn't need to be configured as a 'secured' variable. Just to be clear, all variables are encrypted - the only difference between secured vs non-secured variables is whether or not they're visible in the UI.

    If you do require the use of a secure variable, I suggest that you change the value of the variable to be more unique.

    Thanks,
    Aneita

  3. Log in to comment