search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
95 stars 59 forks source link

Warning!!! TerraformTaskV4@4 shows oidc_token as plain Text #191

Closed Mousling1992 closed 8 months ago

Mousling1992 commented 8 months ago

Description

I am using the TerraformTaskV4@4 task in Azure DevOps to manage my resources. However, I've noticed that the token is not being masked in the logs like the client_id or the tenant_id, which poses a security risk.

Steps to Reproduce

  1. Step 1: Login with AzureCli
  2. Step 2: Install terraform 1.5.7 on the Agent
  3. use the TerraformTaskV4@4 to run terraform init
  4. Go to Raw Logs in the Pipeline Run and there the -backend-config=oidc_token is written in plain text.

Expected Behavior

The token should be masked in the logs to prevent exposure of sensitive information.

Actual Behavior

The token is written in plain text.

Mousling1992 commented 8 months ago

image Please take this seriously

mericstam commented 8 months ago

Hi, Thanks for reporting. I will take a look at the problem.

mericstam commented 8 months ago

HI, Just waiting for a review, then a brief regression test. Hopefully fix will be deployed today

jessehouwing commented 8 months ago

This warrants a self-published advisory on GitHub I suppose:

https://github.com/microsoft/azure-pipelines-terraform/security

@Mousling1992 please next time use the security reporting guidance to publish security issues that way there is a more coordinated response and it will automatically signal more of the right people to take immediate action.