• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 9.2.22, 9.6.10, 10.2.1
• Affects Version/s: 9.2.21, 9.6.9, 10.1.1
• Component/s: Agents, Docker
• Labels:

  None

[BAM-25975] Bamboo Agent installer prints the Security token after installation

Mateusz Szmal made changes - 28/Jan/2025 2:03 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

Eduardo Alvarenga made changes - 23/Dec/2024 9:06 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

Eduardo Alvarenga made changes - 23/Dec/2024 9:06 AM

Status

Original: In Review [ 10051 ]

New: Waiting for Release [ 12075 ]

Eduardo Alvarenga made changes - 23/Dec/2024 9:06 AM

Fix Version/s		New: 10.2.1 [ 110796 ]
Fix Version/s		New: 9.6.10 [ 110356 ]
Fix Version/s		New: 9.2.22 [ 110355 ]

Eduardo Alvarenga made changes - 19/Dec/2024 2:07 AM

Status

Original: In Progress [ 3 ]

New: In Review [ 10051 ]

Jonathan Barth made changes - 18/Dec/2024 11:31 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 971888 ]

Eduardo Alvarenga made changes - 18/Dec/2024 9:46 AM

Status

Original: Needs Triage [ 10030 ]

New: In Progress [ 3 ]

Eduardo Alvarenga made changes - 18/Dec/2024 9:46 AM

Assignee

New: Eduardo Alvarenga [ 73868399605e ]

Eduardo Alvarenga made changes - 18/Dec/2024 8:32 AM

Remote Link

New: This issue links to "+core+ Dogfooding › Test Git Branch Detection › issue-BAM-25975-92-do-not-expose-sensitive-agents-variables (tardigrade-bamboo)" [ 971675 ]

Eduardo Alvarenga made changes - 18/Dec/2024 8:06 AM

Description

Original: h3. Issue Summary The Bamboo Agent installer prints the {{BAMBOO_SECURITY_TOKEN}} to the standard output after the Agent is installed. This is reproducible on Data Center: (/) h3. Steps to Reproduce  # Install and Bamboo Remote Agent and specify a Security Token  # Observe the logs on the screen h3. Expected Results No signs of the Security token should have been printed on the screen. This is desired in environments such as "Dockerized" or automated systems where the Security Token is the "sign on" method of every Agent and that string should not be exposed in any logs at the risk os misuse. h3. Actual Results The {{BAMBOO_SECURITY_TOKEN}} is visible: {noformat} Installing agent wrapper Installing file: /generic/conf/wrapper-license.conf to: /var/atlassian/application-data/bamboo-agent/conf/wrapper-license.conf Installing file: /generic/lib/wrapper.jar to: /var/atlassian/application-data/bamboo-agent/lib/wrapper.jar Installing file: /arch/linux/arm64/wrapper to: /var/atlassian/application-data/bamboo-agent/bin/wrapper Installing file: /arch/linux/arm64/libwrapper.so to: /var/atlassian/application-data/bamboo-agent/lib/libwrapper.so Installing file: /generic/bin/bamboo-agent.sh to: /var/atlassian/application-data/bamboo-agent/bin/bamboo-agent.sh Installing file: /generic/lib/bamboo-agent-bootstrap-jar-with-dependencies.jar to: /var/atlassian/application-data/bamboo-agent/lib/bamboo-agent-bootstrap.jar Unzipping /classpath.zip to /var/atlassian/application-data/bamboo-agent/classpath Could not find source file /classpath.zip Agent installed KUBE_NUM_EXTRA_CONTAINERS: 0 SHLVL: 0 SHELL: /bin/bash TZ: Australia/Sydney ... BAMBOO_SECURITY_TOKEN: f3a51f98c77569125538180c8107a89060e1be29     <<<<<<< HERE ... HOSTNAME: d_bamboo1002_agent1 ... Running [/var/atlassian/application-data/bamboo-agent/bin/bamboo-agent.sh, console] Agent process started, shutdown hook registered, proceeding with log pump... Running Bamboo Agent... {noformat} h3. Workaround Currently there is no known workaround for this behavior. A workaround will be added here when available

New: h3. Issue Summary The Bamboo Agent installer prints the {{BAMBOO_SECURITY_TOKEN}} to the standard output after the Agent is installed. This is reproducible on Data Center: (/) h3. Steps to Reproduce  # Install a Bamboo Remote Agent and specify a Security Token  # Observe the logs on the screen h3. Expected Results No signs of the Security token should have been printed on the screen. This is desired in environments such as "Dockerized" or automated systems where the Security Token is the "sign on" method of every Agent and that string should not be exposed in any logs at the risk os misuse. h3. Actual Results The {{BAMBOO_SECURITY_TOKEN}} is visible: {noformat} Installing agent wrapper Installing file: /generic/conf/wrapper-license.conf to: /var/atlassian/application-data/bamboo-agent/conf/wrapper-license.conf Installing file: /generic/lib/wrapper.jar to: /var/atlassian/application-data/bamboo-agent/lib/wrapper.jar Installing file: /arch/linux/arm64/wrapper to: /var/atlassian/application-data/bamboo-agent/bin/wrapper Installing file: /arch/linux/arm64/libwrapper.so to: /var/atlassian/application-data/bamboo-agent/lib/libwrapper.so Installing file: /generic/bin/bamboo-agent.sh to: /var/atlassian/application-data/bamboo-agent/bin/bamboo-agent.sh Installing file: /generic/lib/bamboo-agent-bootstrap-jar-with-dependencies.jar to: /var/atlassian/application-data/bamboo-agent/lib/bamboo-agent-bootstrap.jar Unzipping /classpath.zip to /var/atlassian/application-data/bamboo-agent/classpath Could not find source file /classpath.zip Agent installed KUBE_NUM_EXTRA_CONTAINERS: 0 SHLVL: 0 SHELL: /bin/bash TZ: Australia/Sydney ... BAMBOO_SECURITY_TOKEN: f3a51f98c77569125538180c8107a89060e1be29     <<<<<<< HERE ... HOSTNAME: d_bamboo1002_agent1 ... Running [/var/atlassian/application-data/bamboo-agent/bin/bamboo-agent.sh, console] Agent process started, shutdown hook registered, proceeding with log pump... Running Bamboo Agent... {noformat} h3. Workaround Currently there is no known workaround for this behavior. A workaround will be added here when available

Eduardo Alvarenga created issue - 18/Dec/2024 8:02 AM