azure-pipelines-agent: Endpoint auth. parameter that is not confidential getting masked in agent logs
2.122.0
Windows
VSTS
Attaching details about the custom endpoint type & logs that has this issue.
Endpoint details logged in agent:
{
"data": {},
"id": "cfa7e53f-5778-423c-af65-507a80224c79",
"name": "cfa7e53f-5778-423c-af65-507a80224c79",
"type": "habitatoriginendpoint",
"url": "https://bldr.habitat.sh",
"authorization": {
"parameters": {
"username": "********",
"revision": "********",
"publickey": "********",
"password": "********",
"githubauthtoken": "********",
"useSudo": "********"
},
"scheme": "UsernamePassword"
},
"isReady": false
}
Endpoint contribution type:
{
"id": "habitat-origin",
"description": "Habitat Origin",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": ["ms.vss-endpoint.endpoint-types"],
"properties": {
"name": "habitatoriginendpoint",
"displayName": "Habitat Origin",
"url": {
"displayName": "Habitat Depot URL",
"helpText": "URL to the Habitat depot that will be used to deploy to"
},
"inputDescriptors": [],
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-basic",
"inputDescriptors": [
{
"id": "username",
"name": "Origin Name",
"description": "Name of the Habitat origin",
"inputMode": "textbox",
"isConfidential": false,
"validation": {
"isRequired": true,
"dataType": "string"
}
},
{
"id": "revision",
"name": "Revision",
"description": "Revision of the origin to use",
"inputMode": "textbox",
"isConfidential": false,
"validation": {
"isRequired": true,
"dataType": "string"
}
},
{
"id": "publickey",
"name": "Public Key",
"description": "Public item of the origin key pair",
"inputMode": "textarea",
"isConfidential": false,
"validation": {
"isRequired": true,
"dataType": "string"
}
},
{
"id": "password",
"name": "Signing Key",
"description": "Signing item of the origin key pair",
"inputMode": "textarea",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string"
}
},
{
"id": "githubauthtoken",
"name": "GitHub Auth Token",
"description": "Authentication token for GitHub for publishing Habitat packages.",
"inputMode": "textbox",
"isConfidential": "true",
"validation": {
"isRequired": true,
"dataType": "string"
}
},
{
"id": "useSudo",
"name": "Use Sudo",
"description": "Use sudo on habitat commands",
"inputMode": "combo",
"isConfidential": false,
"validation": {
"isRequired": false,
"dataType": "string"
},
"values": {
"inputId": "useSudoValues",
"defaultValue": "1",
"possibleValues": [
{
"value": "1",
"displayValue": "True"
},
{
"value": "0",
"displayValue": "False"
}
]
}
}
]
}
],
"helpMarkDown": "Please provide the requested information so that Habitat packages can be built and deployed. The GitHub authentication token requires `user:email` and `read:org` scopes"
}
}
About this issue
- Original URL
- State: open
- Created 7 years ago
- Reactions: 4
- Comments: 58 (16 by maintainers)
Is there any update to this issue? I am also having the problem where all ‘1’ characters are being masked.
@DenisRumyantsev @KonstantinTyukalov @anatolybolshakov @alexander-smolyakov - I pointed out that your proposed solution creates an even larger problem than was being reported, and you have nothing to say in the last month?
I really hope that you are not still considering this AGENT_SECRET_MIN_LENGTH as viable, because nobody asked for you for a knob that let us expose any secrets. We asked you to stop making the secret values easy to guess.
Hey everyone! We are introducing new agent knob:
AGENT_IN_SECRET_LENGTH
which will let you not to mask short secrets. You can specify values from0
(all secrets will be masked as usual) to4
(secrets shorten than 4 symbols will be ignored) Also, negative values will mean masking all the secrets as usual.example:
also it’s available as environment variable.
This feature will be available in the next agent release, we will notify you once it will be rolled out. Thanks!
UPD: The new knob name is
AZP_IGNORE_SECRETS_SHORTER_THAN
It also happens for custom extensions.
@alexander-smolyakov also see this, it’s affecting hundreds of pipelines my org has, and we have a support case open for this.
@StingyJack @itecompro I believe the issue with masked ‘1’ should be already fixed and shipped with the next agent release - we are planning to start it this week.
This issue is open for years and no one has yet figured out what’s going on!? 🙄
In our pipelines, we are using Variable Groups connected to a Key Vault, right after the Download Secret task, all 1s are replaced with ***.
Have checked all the secrets in the Key Vault. None of them is
1
. Of course, it could be part of a secret likesomething_1_something_else
, but not by itself as a whole.Bump
@peterox I believe this was fixed. Are you using the service “Azure Devops” and the latest agent? Or are you using on-premises TFS? Note you can right click on the pool to update all agents in a pool to the latest version.