User's password is exposed in UI for a build
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Bamboo is showing password in Recent History view as "Changes By".
Environment
All versions of Bamboo
Diagnosis
In this view the data is being populated from git. Use these commands to confirm the data is coming from git.
- Checkout the branch listed in in the build dashboard on any git clone.
- Get the hash of the commit. This can be done with git log.
- Print the raw commit message:
git cat-file -p <hash>
Cause
When the commit was made, the data was passed as Author. Here is an example command:
git commit --author="Dave Laser <dlaser@atlassian.com>" -m "My alter ego Dave made this commit."
Solution
This commit will need to be removed or recreated. To avoid this issue you just need to create a commit that does not have this password. Here are the possible resolutions:
- Change user name and password. Use committer data from commit to know who to contact to stop this behaviour.
- Delete the branch or branches with offending commit. This will remove the commit from being active.
- Deploy a git
pre-commit
in Bitbucket to confirm the Committer and Author are the same.
Depending how much of your git repository has this commit will define how much action you need to take to resolve this issue. Removing or rewriting history for this tree is a viable solution but yet dangerous solution.