Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Azure Pipes prints password and SQL Connection String as cleartext to build log Edited

When using Azure Pipes to deploy an Azure Web App while having the DEBUG flag to true, in one statement the logger logs the <publishData> response to the build log.

<publishData>...</publishData> not only contains the user password as cleartext but also the SQL Server connection string including the user and password.

This seems to be a security threat because anyone who can enable the Debug flag can get access to the deployment password and database login credentials.

1 answer

1 accepted

0 votes
Answer accepted

Hey @Stefan Naegeli 

Thanks for raising this issue. I have notified the Microsoft team and they are looking into this. 

I strongly agree with you that credentials shouldn't be exposed. After investigating the issue, it's related to the Azure CLI: It prints the password when you pass the --debug flag to the CLI deploy command.

Let me clarify, the credentials that are exposed are from the PublishProfile (credentials that Azure Web Apps generates to allow publishing your application from IDE for example). Your Azure Credentials (i.e. Service Principal) that give you access to your account / resources are not exposed. 

For example, this command would print the whole PublishProfile (user and password included): 

az webapp deployment source config-zip --resource-group example-azure-web-apps-deploy --name example-azure-web-apps-deploy --src app.zip --debug 

(You can see the source code here: https://bitbucket.org/microsoft/azure-web-apps-deploy)

Unfortunately, this would happen even using raw commands (i.e. without using the pipe), as we depend on the Azure CLI to execute the command, and we cannot prevent this.

For now, if your publishProfile has been exposed in the logs, I would suggest rotating it ("Reset Publish Profile" from the Azure Portal) and not using DEBUG mode unless you need to debug any problem with your deployment.

Thanks again for your feedback,

Raul

Hi Raul

Thanks for raising this with Microsoft. Can you share an Issue-Link to watch or will you post again on this thread when you get an update? 

You are correct: not the Service Principal but the content of the publish profile is exposed. This is unfortunate as the publish profile might also contain the SQL Connection string including the login user and password.

Best regards,
Stefan

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket Pipelines

What We Learned When We Researched Open Source Vulnerabilities in 7 Popular Coding Languages

...hey are a part of us, shaping how we interact with the world around us. The same holds true for programming languages when we think about how different kinds of vulnerabilities raise their heads in t...

1,227 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you