Closed jessehouwing closed 8 months ago
Hi Jesse, LGTM, @jaredfholgate any opinion?
@jessehouwing and @mericstam. For future reference I found there is a function for setting a secret: https://github.com/microsoft/azure-pipelines-task-lib/blob/0b4a3c796ae34493d86e8f8a46f414d722cd807f/node/task.ts#L219
It would be called like this in this scenario:
import tasks = require('azure-pipelines-task-lib/task');
...
tasks.setSecret(token);
I have also asked whether setting this secret should be handled in the library, rather than every task that uses it. Will feedback if that happens.
@jaredfholgate agreed. Located the spot and added the code to mask the secret in a PR.
I'd forgotten that tasklib function exists. It would be a better temporary solution, but let's see if the linked PR would come through.
Moves the
setSecret
call closest to the place the token enters the scope of the task to prevent accidental logging of the token in the future.This does mix concerns a little bit, but this prevents a change in the 4 functions in the call chain from accidentally surfacing the token in the future.
This could be refactored to a promise that can be passed to the token generator.