Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Variables exposed in main.js which was built and deployed using Bitbucket Pipelines?

joshuatroy
joshuatroy
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 11, 2019

We are using bitbucket pipelines to build and deploy our React app to AWS S3.

Below is our current pipeline:

- [pipeline has been removed]

In the first step we create a .env and pass it on to the later step as an artifact (this only includes a few deployment variables).

In the second step we build our httpdocs directory which consists of an index.html, main.js, style.css and an assets directory; this steps required the .env.

In the third step we delete anything we do not want to deploy then upload the httpdocs directory to our specified AWS S3 bucket.

Once deployed, if we go the url where this has deployed xxx.co.uk/main.js all variables are exposed: team, repository, deployment and even the default bitbucket pipeline variables (https://confluence.atlassian.com/bitbucket/environment-variables-in-bitbucket-pipelines-794502608.html).

This is obviously a huge security vulnerability for us as our AWS Access Key and Secret Access Key were exposed on our website and if we hadn't of used https://detectify.com to run a security scan we wouldn't of known until it was possibly too late.

We have two almost identical projects with identical pipeline and deployment environments and this is issue hasn't occurred for these projects. 

Has anyone else every come across this issue before? It could possibly be something foolish we've done in the build but we are a little lost as we've inspected our build code to see where it might possibly pull in these variables from but this build code is identical for the other two projects and this issue didn't occur. 

We have opened a ticket with Atlassian support who are investigating the issue but just wanted to ask the community to see if anyone has ever stumbled across this issue before?

Thanks for your time!


*****

Current Progress Update

The Atlassian support team have recommended that we debug our pipelines locally with docker so that we can work out if it's an issue with our build or the pipeline.

https://confluence.atlassian.com/bitbucket/debug-your-pipelines-locally-with-docker-838273569.html



Answer
Watch
Like Be the first to like this
724 views

0 answers

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security