search

microsoft / azure-pipelines-agent

Azure Pipelines Agent 🚀
MIT License
1.7k stars 857 forks source link

[BUG]: Service Principal client secret visible in agent log #4883

Open KjartanThK opened 1 week ago

KjartanThK commented 1 week ago

What happened?

When registering and deregistering an agent with a service principal (--auth SP) the appId, tenantId and clientsecret values are all written to the agent registration log in cleartext. When comparing this with the way that PAT´s are masked in the logs this looks like a bug and I would consider this as a security risk since having all three means a user can act as that SP and do whatever the SP is permitted, not just in Azure DevOps but everywhere in the tenant. In my mind this is as big of a risk as storing AD user passwords in clear text on disk.

Versions

Azure DevOps Agent version: 3.240.1 RuntimeInformation: Microsoft Windows 10.0.20348

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows Server 2022

Version controll system

No response

Relevant log output

Example from agent removal log.
[2024-07-05 13:16:44Z INFO CommandSettings] Remove {
  "Auth": "SP",
  "LaunchBrowser": false,
  "Password": null,
  "Token": null,
  "Unattended": true,
  "UserName": null,
  "ClientId": "<application id>",
  "TenantId": "<tenant id>",
  "ClientSecret": "<client secret>",
  "Help": false,
  "Version": false
}
[2024-07-05 13:16:44Z INFO AgentProcess] Arguments parsed
ivanduplenskikh commented 1 week ago

@KjartanThK, thanks for reporting it! Let us take a look.