Closed derpomorj closed 8 months ago
Hi @derpomorj,
I have some doubts. Do you have any logs to provide?
In the following code:
The third parameter is set to "True".
This parameter allows you to define the value of the "secret" parameter.
If this parameter is set to true, the value of the variable will be saved as secret and masked out from logs (in a Azure DevOps pipeline).
So every time that a secret value is found in a pipeline output she will be masked directly.
But you are partially right. If you run npm run test
on this project the secrets will not be maked.
Hi @Fizcko ,
I was able to reproduce the problem in a production environment.
The following entries appear in the logs:
"2024-01-16T11:02:09.4660288Z [INFO] Injecting variable : <real secret name>, value : <real secret value>".
I also noticed that the problem is reproduced only if the secret contains the "%" character ("1234%" for example). There are no problems with regular strings, most likely the problem is on Azure's side. But in any case, it seems not very safe to output secret values to the task logs, since we rely on an external system. It seems that nothing prevents us from printing “***” ourselves. If this logging is necessary for local testing, then, as an option, you can add a check for the operating mode (prod/dev)
@derpomorj ,
I have remove the print of the secret:
I've just release a new version 4.0.2 on the Azure DevOps marketplace.
This version resolve your issue.
Regards
Thanks for the help 🙂
Hi,
I discovered that the task prints all downloaded secrets in console in unencrypted form, which entails security problems. It is necessary to correct this line in method "exportJSONValues": console.log("[INFO] Injecting variable : " + prefix + ", value : " + objValue);