Closed Mousling1992 closed 8 months ago
Please take this seriously
Hi, Thanks for reporting. I will take a look at the problem.
HI, Just waiting for a review, then a brief regression test. Hopefully fix will be deployed today
This warrants a self-published advisory on GitHub I suppose:
https://github.com/microsoft/azure-pipelines-terraform/security
@Mousling1992 please next time use the security reporting guidance to publish security issues that way there is a more coordinated response and it will automatically signal more of the right people to take immediate action.
Description
I am using the
TerraformTaskV4@4
task in Azure DevOps to manage my resources. However, I've noticed that the token is not being masked in the logs like the client_id or the tenant_id, which poses a security risk.Steps to Reproduce
Expected Behavior
The token should be masked in the logs to prevent exposure of sensitive information.
Actual Behavior
The token is written in plain text.