Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-17488

Password masking in logs outputs a lot of asterisks if any of the password variable contain an asterisk

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 5.12.0.2
    • 5.9.1, 5.10.3
    • None
    • None

      Summary

      Password masking in logs outputs a lot of asterisks if any of the password variable contain an asterisk and there is more than 1 password variable.

      Steps to Reproduce

      1. Create 2 variables with password in it's name:
        1. password1 = 123
        2. password2 = *
      2. Add a script task that does any command, example echo "Hello"
      3. Run the plan

      Expected Results

      In the build logs, it should show:
      password1=********
      password2=********

      Actual Results

      For each password Bamboo would show 512 asterisks

      Extent

      If you have multiple variables that contain passwords of just asterisks, the number of asterisks will increase by 8 exponent. If there is 10 variables containing just asterisks, Bamboo will create 1 billion asterisks for each password variable in the logs.

      Workaround

      For Bamboo 5.10.3. This patched jar will prevent the cascading effect of the password masking.

      1. Stop Bamboo
      2. Backup <bamboo install dir>/atlassian-bamboo/WEB-INF/lib/atlassian-bamboo-api-5.10.3.jar to a separate directory
      3. Place this file in the above directory atlassian-bamboo-api-5.10.3.jar
      4. Start Bamboo

              mgardias Marcin Gardias
              dlee@atlassian.com Deric Lee (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: