Password exposed in the logs

XMLWordPrintable

      In my deployment project I have defined three variables for each environment: deploy.targetDir, wls.username and wls.password. The third one is masked in the variables UI as appropriate (see screenshot).

      In an SSH task I perform the following:

      java weblogic.Deployer -adminurl iiop://localhost:7001 -username '${bamboo.wls.username}' -password '${bamboo.wls.password}' -deploy -name module -source "${bamboo.deploy.targetDir}/module.war" -targets server -nostage

      In the log the non-password substitutions are shown, while the password substitution is noted, without being shown, as appropriate.

      command	22-Oct-2013 15:27:10	Substituting variable: ${bamboo.wls.username} with devteam
command	22-Oct-2013 15:27:10	Substituting password variable: ${bamboo.wls.password}
command	22-Oct-2013 15:27:10	Substituting variable: ${bamboo.deploy.targetDir} with /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war

      However, the command is then emitted with the password in plain text:

      simple	22-Oct-2013 15:27:13	Executing [
simple	22-Oct-2013 15:27:13	set -e
simple	22-Oct-2013 15:27:13	. /apps/Oracle/Middleware/wlserver_12.1/server/bin/setWLSEnv.sh
simple	22-Oct-2013 15:27:13	java weblogic.Deployer -adminurl iiop://localhost:7001 -username 'devteam' -password 'PLAINTEXT_PASSWORD' -deploy -name module -source "/apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war" -targets server -nostage
simple	22-Oct-2013 15:27:13	]

      This application is smart enough to avoid emitting the password in it's own logging:

      build	22-Oct-2013 15:27:17	weblogic.Deployer invoked with options:  -adminurl iiop://localhost:7001 -username devteam -deploy -name module -source /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war -targets server -nostage
build	22-Oct-2013 15:27:19	<Oct 22, 2013 3:27:19 PM EDT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, module [archive: /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war], to server .> 
build	22-Oct-2013 15:27:20	Task 134 initiated: [Deployer:149026]deploy application module on server.
build	22-Oct-2013 15:28:45	Task 134 completed: [Deployer:149026]deploy application module on server.
build	22-Oct-2013 15:28:45	Target state: deploy completed on Server server

      Either the password needs to be masked or excluded in the output of the command, or the command should not be emitted at all.

        1. Screen Shot 2013-10-22 at 12.49.52 PM.png
          Screen Shot 2013-10-22 at 12.49.52 PM.png
          67 kB
        2. Screen Shot 2013-10-25 at 10.23.41 AM.png
          Screen Shot 2013-10-25 at 10.23.41 AM.png
          276 kB

            Assignee:
            Krystian Brazulewicz
            Reporter:
            Eric A. Zarko
            Votes:
            21 Vote for this issue
            Watchers:
            25 Start watching this issue

              Created:
              Updated:
              Resolved: