microsoft/azure-pipelines-task-lib

Secrets (within quotes) that are part of Variable Group linked to KeyVault are not masked in logs

krsanty opened this issue · 2 comments

krsanty commented

Please check our current Issues to see if someone already reported this https://github.com/Microsoft/azure-pipelines-task-lib/issues

Environment

azure-pipelines-task-lib version:
Azure PowerShell V2 task
Windows (Azure VMSS)

Issue Description

Secrets (having values within quotes "" ) that are part of Variable Group linked with Azure KeyVault is not masked in logs

Expected behaviour

Secrets should be masked in logs in all cases

Actual behaviour

Secrets are not masked in all cases

Steps to reproduce

Below is a simple step that can reproduce the secret leak in logs. In the KeyVault, SecretsWithinQuotes has value "SHOULDBEHIDDEN" and SecretsWithinEscapedQuotes has value \"SHOULDBEHIDDEN\"

steps:
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
          echo 'My Secret in quotes 1: '$(SecretsWithinQuotes)
          echo 'My Secret5 in quotes 2: '"$(SecretsWithinQuotes)"
          echo "{$(SecretsWithinQuotes)}"
          echo "My Secret  in quotes 3:" {$(SecretsWithinQuotes)}
          echo "My Secret5 in quotes 4: {$(SecretsWithinQuotes)}"
          echo "My Secret  in quotes 5: {{$(SecretsWithinQuotes)}}"
          echo "*****************************************************"
          echo 'My Secret in escaped quotes 1: '$(SecretsWithinEscapedQuotes)
          echo 'My Secret5 in escaped quotes 2: '"$(SecretsWithinEscapedQuotes)"
          echo "{$(SecretsWithinEscapedQuotes)}"
          echo "My Secret  in escaped quotes 3:" {$(SecretsWithinEscapedQuotes)}
          echo "My Secret5 in escaped quotes 4: {$(SecretsWithinEscapedQuotes)}"
          echo "My Secret  in escaped quotes 5: {{$(SecretsWithinEscapedQuotes)}}"

Is there any way that I can restrict the secret being leaked out in all cases?

Logs

Here are the logs for the above step that shows leaked secret in most cases:

My Secret in quotes 1: 
SHOULDBEHIDDEN
My Secret5 in quotes 2: 

SHOULDBEHIDDEN
{
SHOULDBEHIDDEN}
My Secret  in quotes 3:
***
My Secret5 in quotes 4: {
SHOULDBEHIDDEN}
My Secret  in quotes 5: {{
SHOULDBEHIDDEN}}
*****************************************************
My Secret in escaped quotes 1: 
\SHOULDBEHIDDEN\
My Secret5 in escaped quotes 2: 
\
SHOULDBEHIDDEN\
{\
SHOULDBEHIDDEN\}
My Secret  in escaped quotes 3:
***
My Secret5 in escaped quotes 4: {\
SHOULDBEHIDDEN\}
My Secret  in escaped quotes 5: {{\
SHOULDBEHIDDEN\}}
krsanty commented

Just realized that I should have used BackTick as the escape character for the PowerShell script. It masked the secret properly when the secret value in KV was changed from \"SHOULDBEHIDDEN\" to `"SHOULDBEHIDDEN`".

However, since we are using non PowerShell script as well in our pipeline, adding the escape character within the secret text opens up problems in other scripts where it is not treated as escape character. It there a better way to mask the secrets in PowerShell tasks?

krsanty commented

Closing the issue because I think I found the solution.
Setting new task variable and then assigning it the secret.
Write-Host "##vso[task.setvariable variable=secretwithdoublequotes;issecret=true]$(secretwithdoublequotes)"

Thereafter, using the variable in this format {$(secretwithdoublequotes)} to avoid the leak.