Severe Security flaw: OIDC Token printed as Plain text in the pipeline run log for Service Connections configured with Workload Identity Federation

hari2anand commented 5 months ago

Describe the bug TerraformCLI@1 task prints the OIDC token as is in plain text when performing init, plan and apply, which is a serious security risk! as anyone having pipeline read access can simply copy paste the token to mimic the App-Reg and gets its access in azurerm.

To Reproduce Steps to reproduce the behavior:

task: TerraformCLI@1 name: terraformPlan displayName: "Terraform: Plan" inputs: command: plan environmentServiceName: test-wif-sc providerAzureRmSubscriptionId: "xxxx" runAzLogin: true allowTelemetryCollection: false This prints the token in run log

Expected behavior Token should be masked like the username! Screenshots If applicable, add screenshots to help explain your problem.

Pipeline Logs Include logs that help demonstrate the problem. Please make sure to redact any sensitive info such as secrets. Can't attach due to sensitive content! Agent Configuration

OS: ubuntu
Self Hosted
Terraform version used 1.7.5
AzureCLI version used Additional context Add any other context about the problem here.

jason-johnson commented 4 months ago

@jaredfholgate can you reproduce?

jason-johnson commented 1 month ago

For me the token is hidden in every place I checked. I don't have a self hosted agent to check on though.

jason-johnson / azure-pipelines-tasks-terraform

Severe Security flaw: OIDC Token printed as Plain text in the pipeline run log for Service Connections configured with Workload Identity Federation #428