Possibility to limit replacement variables to those explicitely provided

[dmytro-arkhypenko]

I have a concern that exposing all pipeline variables for replacement might give out sensitive information if replaced happened in the manifest files placed by ill-intended party.

I can't come with exact scenario of successful attack exploiting this feature, but having more control over the task behavoir would give me more confidence.

The feature I want might be implmented by introducing additional input usePipelineVariables, being true by default.

- task: qetza.replacetokens.replacetokens-task.replacetokens@6
  inputs:
    sources: '**/*.json'
    usePipelineVariables: 'false'     # 'true by default'
    additionalVariables: |
      - '@**/vars.(json|yml|yaml)'      # read from files
      - '$ENV_VARS',                         # read from env
      - var1: '${{ parameters.var1 }}'  # inline key/value pairs
        var2: '${{ parameters.var2 }}'

[qetza]

Hi @dmytro-arkhypenko, Thanks for the feedback.

Yes by default the task has access to all environment variables and the agent is creating one environment variable per pipeline variable which could lead to some unexpected leakage.

I'll see to add a new parameter useOnlyAdditionalVariables which would limit the scope of the available variable to the replacement function to only the values declared in additionalVariables.

[qetza]

Hi @dmytro-arkhypenko, The new parameter useAdditionalVariablesOnly is now available on v5 and v6.