Details
-
Bug
-
Resolution: Fixed
-
High
-
5.2, 5.4.2, 5.7.0, 5.8.1
-
None
Description
In my deployment project I have defined three variables for each environment: deploy.targetDir, wls.username and wls.password. The third one is masked in the variables UI as appropriate (see screenshot).
In an SSH task I perform the following:
java weblogic.Deployer -adminurl iiop://localhost:7001 -username '${bamboo.wls.username}' -password '${bamboo.wls.password}' -deploy -name module -source "${bamboo.deploy.targetDir}/module.war" -targets server -nostage
In the log the non-password substitutions are shown, while the password substitution is noted, without being shown, as appropriate.
command 22-Oct-2013 15:27:10 Substituting variable: ${bamboo.wls.username} with devteam command 22-Oct-2013 15:27:10 Substituting password variable: ${bamboo.wls.password} command 22-Oct-2013 15:27:10 Substituting variable: ${bamboo.deploy.targetDir} with /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war
However, the command is then emitted with the password in plain text:
simple 22-Oct-2013 15:27:13 Executing [ simple 22-Oct-2013 15:27:13 set -e simple 22-Oct-2013 15:27:13 . /apps/Oracle/Middleware/wlserver_12.1/server/bin/setWLSEnv.sh simple 22-Oct-2013 15:27:13 java weblogic.Deployer -adminurl iiop://localhost:7001 -username 'devteam' -password 'PLAINTEXT_PASSWORD' -deploy -name module -source "/apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war" -targets server -nostage simple 22-Oct-2013 15:27:13 ]
This application is smart enough to avoid emitting the password in it's own logging:
build 22-Oct-2013 15:27:17 weblogic.Deployer invoked with options: -adminurl iiop://localhost:7001 -username devteam -deploy -name module -source /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war -targets server -nostage build 22-Oct-2013 15:27:19 <Oct 22, 2013 3:27:19 PM EDT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, module [archive: /apps/Oracle/Middleware/user_projects/domains/eja_domain/trinet_war/module.war], to server .> build 22-Oct-2013 15:27:20 Task 134 initiated: [Deployer:149026]deploy application module on server. build 22-Oct-2013 15:28:45 Task 134 completed: [Deployer:149026]deploy application module on server. build 22-Oct-2013 15:28:45 Target state: deploy completed on Server server
Either the password needs to be masked or excluded in the output of the command, or the command should not be emitted at all.
Attachments
Issue Links
- duplicates
-
BAM-13420 Password exposed in the logs
- Closed