search

Fizcko / Azure_DevOps_Vault_Interaction

Azure DevOps extension to interact with HashiCorp Vault.
MIT License
10 stars 13 forks source link

exportJSONValues method prints secrets to console #19

Closed derpomorj closed 8 months ago

derpomorj commented 8 months ago

Hi,

I discovered that the task prints all downloaded secrets in console in unencrypted form, which entails security problems. It is necessary to correct this line in method "exportJSONValues": console.log("[INFO] Injecting variable : " + prefix + ", value : " + objValue);

Fizcko commented 8 months ago

Hi @derpomorj,

I have some doubts. Do you have any logs to provide?

In the following code:

https://github.com/Fizcko/Azure_DevOps_Vault_Interaction/blob/add5e456187f09620d70824c1fe2c3994e92485d/src/common/utils.ts#L29-L30

The third parameter is set to "True".

https://github.com/microsoft/azure-pipelines-task-lib/blob/a766b2ff7e51938d5601362a337549313dc8c572/node/task.ts#L180-L188

This parameter allows you to define the value of the "secret" parameter.

If this parameter is set to true, the value of the variable will be saved as secret and masked out from logs (in a Azure DevOps pipeline).

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-variables-scripts?view=azure-devops&tabs=bash#set-a-variable-as-secret

So every time that a secret value is found in a pipeline output she will be masked directly.

But you are partially right. If you run npm run test on this project the secrets will not be maked.

derpomorj commented 8 months ago

Hi @Fizcko , I was able to reproduce the problem in a production environment. The following entries appear in the logs: "2024-01-16T11:02:09.4660288Z [INFO] Injecting variable : <real secret name>, value : <real secret value>".

I also noticed that the problem is reproduced only if the secret contains the "%" character ("1234%" for example). There are no problems with regular strings, most likely the problem is on Azure's side. But in any case, it seems not very safe to output secret values to the task logs, since we rely on an external system. It seems that nothing prevents us from printing “***” ourselves. If this logging is necessary for local testing, then, as an option, you can add a check for the operating mode (prod/dev)

Fizcko commented 8 months ago

@derpomorj ,

I have remove the print of the secret:

https://github.com/Fizcko/Azure_DevOps_Vault_Interaction/blob/1f7d252d54b72568adbeed5aa32c4fd1d5e679a4/src/common/utils.ts#L29-L30

I've just release a new version 4.0.2 on the Azure DevOps marketplace.

This version resolve your issue.

Regards

derpomorj commented 8 months ago

Thanks for the help 🙂