New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials are revealed in log #2449
Comments
@dmosen |
@travi there are no credentials in the |
@dmosen i've investigated this further and confirmed that my statement was incorrect about never containing credentials. we do inject the credentials if push access is not available by default. often, when ci is able to check out the repository, pushing is also possible without modifying the repository url. however, even when we do modify that repo url within the process, the log that you are referring to is already masked. the only way that i've been able to reproduce the situation is when the entire value of
is the length of your |
@travi Thanks for investigating the issue. It looks like I found a clue: The token contained in |
🎉 This issue has been resolved in version 19.0.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
@dmosen thank you for reporting. a fix that removes the credentials entirely from the log output has been released in v19.0.3. while we were already comparing to the url encoded versions of possible credentials-providing environment variables, one note for the future though, when reporting a vulnerability like this, please try to do the disclosure privately. we would prefer to have the chance to better understand the problem and have a chance to develop and release a fix like this before others are made aware of the vulnerability. we don't yet have an official security policy defined, some recommendations for disclosing privately are provided by GitHub here. either way, thank you again for reporting and helping us make semantic-release safer for others. |
…ed to mask credentials (semantic-release#2459) fixes semantic-release#2449
…ed to mask credentials (semantic-release#2459) fixes semantic-release#2449
Current behavior
Credentials are revealed in the logs (see example below):
Run automated release from branch master on repository https://username:password@bitbucket.example.com/repo.git
Expected behavior
Credentials should be hidden (see example below);
Run automated release from branch master on repository https://[secret]@bitbucket.example.com/repo.git
Environment
"release": { "plugins": [ "@semantic-release/commit-analyzer", [ "@semantic-release/release-notes-generator", { "preset": "angular", "linkCompare": false, "linkReferences": false } ], [ "@semantic-release/changelog", { "changelogFile": "docs/CHANGELOG.md" } ], [ "@semantic-release/exec", { "prepareCmd": "echo ##teamcity[buildNumber '${nextRelease.version}']" } ], [ "@semantic-release/git", { "assets": [ "docs/CHANGELOG.md" ] } ] ]
We are using semantic-release in combination with Bitbucket Server. Credentials are passed via environment variable BITBUCKET_TOKEN_BASIC_AUTH.
AFAIK this should be the relevant line that reveals (logs) the sensitive data:
semantic-release/index.js
Line 78 in 2c30e26
The text was updated successfully, but these errors were encountered: