Credentials are revealed in log

[dmosen]

Current behavior

Credentials are revealed in the logs (see example below):
Run automated release from branch master on repository https://username:password@bitbucket.example.com/repo.git

Expected behavior

Credentials should be hidden (see example below);
Run automated release from branch master on repository https://[secret]@bitbucket.example.com/repo.git

Environment

• semantic-release version: 19.0.2
• CI environment: TeamCity
• Plugins used: commit-analyzer, release-notes-generator, changelog, exec, git
• semantic-release configuration:
  "release": { "plugins": [ "@semantic-release/commit-analyzer", [ "@semantic-release/release-notes-generator", { "preset": "angular", "linkCompare": false, "linkReferences": false } ], [ "@semantic-release/changelog", { "changelogFile": "docs/CHANGELOG.md" } ], [ "@semantic-release/exec", { "prepareCmd": "echo ##teamcity[buildNumber '${nextRelease.version}']" } ], [ "@semantic-release/git", { "assets": [ "docs/CHANGELOG.md" ] } ] ]
• CI logs: see above for the relevant log entry

We are using semantic-release in combination with Bitbucket Server. Credentials are passed via environment variable BITBUCKET_TOKEN_BASIC_AUTH.

AFAIK this should be the relevant line that reveals (logs) the sensitive data:

semantic-release/index.js

Line 78 in 2c30e26

`Run automated release from branch ${ciBranch} on repository ${options.repositoryUrl}${

[travi]

@dmosen options.repositoryUrl should never contain credentials unless defined that way in the repository. please make sure that repository.url is defined in your package.json without including the credentials there

[dmosen]

@travi there are no credentials in the package.json. It looks like below:
"repository": { "type": "git", "url": "https://bitbucket.example.com/repo.git" }

[travi]

@dmosen i've investigated this further and confirmed that my statement was incorrect about never containing credentials. we do inject the credentials if push access is not available by default. often, when ci is able to check out the repository, pushing is also possible without modifying the repository url.

however, even when we do modify that repo url within the process, the log that you are referring to is already masked. the only way that i've been able to reproduce the situation is when the entire value of BITBUCKET_TOKEN_BASIC_AUTH is less than

semantic-release/lib/definitions/constants.js

Line 15 in ab45ab1

const SECRET_MIN_SIZE = 5;

is the length of your BITBUCKET_TOKEN_BASIC_AUTH possibly shorter than that?

[dmosen]

@travi Thanks for investigating the issue.

It looks like I found a clue: The token contained in BITBUCKET_TOKEN_BASIC_AUTH has a slash in it which is displayed in the log as %2F. At least, this seems to be the reason why our CI server does not hide the token as well, as the modified token does not exactly match the one given to the CI job. So could you try to reproduce the issue while using a token/password containing a slash?

[github-actions]

🎉 This issue has been resolved in version 19.0.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[travi]

@dmosen thank you for reporting. a fix that removes the credentials entirely from the log output has been released in v19.0.3.

while we were already comparing to the url encoded versions of possible credentials-providing environment variables, encodeURI does exclude the / from the encoding process

one note for the future though, when reporting a vulnerability like this, please try to do the disclosure privately. we would prefer to have the chance to better understand the problem and have a chance to develop and release a fix like this before others are made aware of the vulnerability. we don't yet have an official security policy defined, some recommendations for disclosing privately are provided by GitHub here.

either way, thank you again for reporting and helping us make semantic-release safer for others.