search

bitrise-steplib / steps-ftp-upload

Bitrise step to upload a single file or a folder to an FTP server
MIT License
4 stars 12 forks source link

Secret data displayed in logs #10

Closed kensykora closed 7 years ago

kensykora commented 7 years ago

The log files for this task expose data that is flagged as secret within Bitrise.

Steps to reproduce:

  1. Create a $USER_NAME environment variable under App Env Vars
  2. Create a $PASSWORD environment variable under Secret Env Vars
  3. Create the FTP-UPload step and use these in the Username / Password FIeld

Expected: Secret fields are not output to logs Actual: Secret fields are revealed in logs.

Example (note password is not actually the password, but it is shown in my logs):

+------------------------------------------------------------------------------+
| (2) Azure Deploy                                                             |
+------------------------------------------------------------------------------+
| id: ftp-upload                                                               |
| version: 2.0.2                                                               |
| collection: https://github.com/bitrise-io/bitrise-steplib.git                |
| toolkit: bash                                                                |
| time: 2017-01-23T15:50:29-08:00                                              |
+------------------------------------------------------------------------------+
|                                                                              |

Configs:
  * hostname: waws-prod-ch1-023.ftp.azurewebsites.windows.net
  * username: projecttest\myproject
  * password: MyPassword!
  * upload_source_path: /Users/vagrant/git/src/project.Myproject.JSClient/
  * upload_target_path: site/wwwroot/

Installing lftp on Darwin
  $ brew install homebrew/boneyard/lftp
==> Tapping homebrew/boneyard
Cloning into '/usr/local/Homebrew/Library/Taps/homebrew/homebrew-boneyard'...
Tapped 276 formulae (310 files, 616.9K)
==> Installing lftp from homebrew/boneyard
==> Installing dependencies for homebrew/boneyard/lftp: pkg-config
==> Installing homebrew/boneyard/lftp dependency: pkg-config
==> Downloading https://homebrew.bintray.com/bottles/pkg-config-0.29.1_2.sierra.bottle.tar.gz
==> Pouring pkg-config-0.29.1_2.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/pkg-config/0.29.1_2: 10 files, 627.5K
==> Installing homebrew/boneyard/lftp 
==> Downloading https://lftp.yar.ru/ftp/lftp-4.6.6.tar.xz
==> Downloading from https://lftp.tech/ftp/lftp-4.6.6.tar.xz
==> ./configure --prefix=/usr/local/Cellar/lftp/4.6.6 --with-openssl=/usr/local/opt/openssl
==> make install
🍺  /usr/local/Cellar/lftp/4.6.6: 21 files, 2.5M, built in 3 minutes 18 seconds

Uploading /Users/vagrant/git/src/project.Myproject.JSClient/ -> site/wwwroot/
|                                                                              |
+---+---------------------------------------------------------------+----------+
| x | Azure Deploy (exit code: 1)                                   | 222 sec  |
+---+---------------------------------------------------------------+----------+
| Issue tracker: https://github.com/bitrise-io/steps-ftp-upload/issues         |
| Source: https://github.com/bitrise-io/steps-ftp-upload                       |
viktorbenei commented 7 years ago

@kensykora thanks for reporting!

I'll schedule a check for this step, or if you have the time, feel free to send a Pull Request.