Secured variables shown in pipeline log

Martin Bohgard April 6, 2020

Using the `sftp-deploy` pipe from Atlassian I get my secured password "repository variable" printed out in my pipeline log. I thought those were meant to be hidden from the log?

Below is a copy of a log
$FTP_HOST set to "host.com"
$FTP_USERNAME set to "user123"
$FTP_PASSWORD set to "ABCD12345"

Debug mode is on.

+ docker container run \
--volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
--volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro \
--volume=/usr/local/bin/docker:/usr/local/bin/docker:ro \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy \
--workdir=$(pwd) \
--label=org.bitbucket.pipelines.system=true \
--env=BITBUCKET_STEP_TRIGGERER_UUID="$BITBUCKET_STEP_TRIGGERER_UUID" \
--env=BITBUCKET_REPO_FULL_NAME="$BITBUCKET_REPO_FULL_NAME" \
--env=BITBUCKET_GIT_HTTP_ORIGIN="$BITBUCKET_GIT_HTTP_ORIGIN" \
--env=BITBUCKET_REPO_SLUG="$BITBUCKET_REPO_SLUG" \
--env=BITBUCKET_PROJECT_UUID="$BITBUCKET_PROJECT_UUID" \
--env=CI="$CI" \
--env=BITBUCKET_REPO_OWNER="$BITBUCKET_REPO_OWNER" \
--env=BITBUCKET_REPO_IS_PRIVATE="$BITBUCKET_REPO_IS_PRIVATE" \
--env=BITBUCKET_WORKSPACE="$BITBUCKET_WORKSPACE" \
--env=BITBUCKET_REPO_OWNER_UUID="$BITBUCKET_REPO_OWNER_UUID" \
--env=BITBUCKET_STEP_RUN_NUMBER="$BITBUCKET_STEP_RUN_NUMBER" \
--env=BITBUCKET_BUILD_NUMBER="$BITBUCKET_BUILD_NUMBER" \
--env=BITBUCKET_BRANCH="$BITBUCKET_BRANCH" \
--env=BITBUCKET_GIT_SSH_ORIGIN="$BITBUCKET_GIT_SSH_ORIGIN" \
--env=BITBUCKET_COMMIT="$BITBUCKET_COMMIT" \
--env=BITBUCKET_REPO_UUID="$BITBUCKET_REPO_UUID" \
--env=BITBUCKET_CLONE_DIR="$BITBUCKET_CLONE_DIR" \
--env=BITBUCKET_PROJECT_KEY="$BITBUCKET_PROJECT_KEY" \
--env=PIPELINES_JWT_TOKEN="$PIPELINES_JWT_TOKEN" \
--env=BITBUCKET_DOCKER_HOST_INTERNAL="$BITBUCKET_DOCKER_HOST_INTERNAL" \
--env=DOCKER_HOST="tcp://host.docker.internal:2375" \
--env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
--env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/sftp-deploy" \
--env=DEBUG="true" \
--env=LOCAL_PATH="dist/*" \
--env=PASSWORD="$FTP_PASSWORD" \
--env=REMOTE_PATH="/www" \
--env=SERVER="$FTP_HOST" \
--env=USER="$FTP_USERNAME" \
--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
bitbucketpipelines/sftp-deploy:0.5.4
Unable to find image 'bitbucketpipelines/sftp-deploy:0.5.4' locally
0.5.4: Pulling from bitbucketpipelines/sftp-deploy
9123ac7c32f7: Pulling fs layer
d98928055083: Pulling fs layer
c41d89d43ec8: Pulling fs layer
16a0202e78db: Pulling fs layer
133df80cc15d: Pulling fs layer
16a0202e78db: Waiting
133df80cc15d: Waiting
c41d89d43ec8: Verifying Checksum
c41d89d43ec8: Download complete
d98928055083: Verifying Checksum
d98928055083: Download complete
9123ac7c32f7: Verifying Checksum
9123ac7c32f7: Download complete
16a0202e78db: Verifying Checksum
16a0202e78db: Download complete
9123ac7c32f7: Pull complete
133df80cc15d: Download complete
d98928055083: Pull complete
c41d89d43ec8: Pull complete
16a0202e78db: Pull complete
133df80cc15d: Pull complete
Digest: sha256:fe920ce524458a868f74ea49fc508351cadee964bc263ac172cce0abb1291815
Status: Downloaded newer image for bitbucketpipelines/sftp-deploy:0.5.4
+ SFTP_DEBUG_ARGS=-v
INFO: Enabling debug mode.
INFO: Using PASSWORD.
+ [[ -z $FTP_PASSWORD ]]
+ info 'Using PASSWORD.'
+ echo -e '\e[36mINFO: Using PASSWORD.\e[0m'
+ setup_ssh_dir
+ INJECTED_SSH_CONFIG_DIR=/opt/atlassian/pipelines/agent/ssh
+ IDENTITY_FILE=/opt/atlassian/pipelines/agent/ssh/id_rsa_tmp
+ KNOWN_HOSTS_FILE=/opt/atlassian/pipelines/agent/ssh/known_hosts
+ mkdir -p /root/.ssh
+ touch /root/.ssh/authorized_keys
+ [[ -z $FTP_PASSWORD ]]
+ '[' '!' -f /opt/atlassian/pipelines/agent/ssh/known_hosts ']'
+ cat /opt/atlassian/pipelines/agent/ssh/known_hosts
+ '[' -f /root/.ssh/config ']'
+ [[ -z $FTP_PASSWORD ]]
+ chmod -R go-rwx /root/.ssh/
+ run_pipe
+ info 'Starting SFTP deployment to host.com:/www...'
INFO: Starting SFTP deployment to host.com:/www...
+ echo -e '\e[36mINFO: Starting SFTP deployment to host.com:/www...\e[0m'
+ set +e
+ [[ -z $FTP_PASSWORD ]]
+ debug Executing echo '"mput' 'dist/*"' '|' sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v user123@host.com:/www
+ [[ true == \t\r\u\e ]]
+ echo -e '\e[37mDEBUG: Executing echo "mput dist/*" | sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v user123@host.com:/www\e[0m'
DEBUG: Executing echo "mput dist/*" | sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v user123@host.com:/www
+ echo 'mput dist/*'
+ sshpass -p ABCD12345 sftp -o PubkeyAuthentication=no -rp -v user123@host.com:/www
OpenSSH_7.9p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host.com [46.30.211.236] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to host.com:22 as 'user123'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:8sBBlU4Q4RqUzZO1J0RpAucj6/DicaJI1TjPDcRO22U
debug1: Host 'host.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
Warning: Permanently added the ECDSA host key for IP address '46.30.211.236' to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
debug1: Authentication succeeded (password).
Authenticated to host.com ([46.30.211.236]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending subsystem: sftp
Connected to host.com.
Changing to: /www
sftp> mput dist/*
Uploading dist/assets/ to /customers/4/6/6/user123/httpd.www/assets
Entering dist/assets/
Uploading dist/favicon.png to /customers/4/6/6/user123/httpd.www/favicon.png
Uploading dist/index.html to /customers/4/6/6/user123/httpd.www/index.html
Uploading dist/robots.txt to /customers/4/6/6/user123/httpd.www/robots.txt
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 2 clearing O_NONBLOCK
Transferred: sent 90280, received 4216 bytes, in 3.3 seconds
Bytes per second: sent 27264.3, received 1273.2
debug1: Exit status 0
+ STATUS=0
+ set -e
+ [[ 0 == \0 ]]
✔ Deployment finished.
+ success 'Deployment finished.'
+ echo -e '\e[32m✔ Deployment finished.\e[0m'
+ exit 0

 Is this a bug or am I doing something wrong?

1 answer

0 votes
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 28, 2020

@Martin Bohgard looks like a bug.

Please, check if it is still valid and PASSWORD is secured indeed  for latest versions of the pipe.

I  have also a question: does your step deployment and use repository variables, not deployments?

Please, check that you have secured all the sensitive variables in repo variables and in deployments section.

In our turn we will investigate the issue.

Regards, Galyna

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events