search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
95 stars 59 forks source link

Moves token security closest to the location where the token enters t… #194

Closed jessehouwing closed 8 months ago

jessehouwing commented 8 months ago

Moves the setSecret call closest to the place the token enters the scope of the task to prevent accidental logging of the token in the future.

This does mix concerns a little bit, but this prevents a change in the 4 functions in the call chain from accidentally surfacing the token in the future.

This could be refactored to a promise that can be passed to the token generator.

mericstam commented 8 months ago

Hi Jesse, LGTM, @jaredfholgate any opinion?

jaredfholgate commented 8 months ago

@jessehouwing and @mericstam. For future reference I found there is a function for setting a secret: https://github.com/microsoft/azure-pipelines-task-lib/blob/0b4a3c796ae34493d86e8f8a46f414d722cd807f/node/task.ts#L219

It would be called like this in this scenario: 

import tasks = require('azure-pipelines-task-lib/task');
...

tasks.setSecret(token);

I have also asked whether setting this secret should be handled in the library, rather than every task that uses it. Will feedback if that happens.

jessehouwing commented 8 months ago

@jaredfholgate agreed. Located the spot and added the code to mask the secret in a PR.

I'd forgotten that tasklib function exists. It would be a better temporary solution, but let's see if the linked PR would come through.