Output when using secure variables should be 'secured'
When the console output is processed, if the value of a secure variable is detected, it should replace it with something else like '********' or [SECURE_VARIABLE_NAME].
In most cases, when writing scripts, people wont print out their variable values, but, if the script errors for some reason, there is a chance that the value that was passed to it will be printed in the build log.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on 28 Sep, 2015 12:48 AM
Well, there is no way to distinguish secure and "regular" variables are they are all essentially environment variables.
2 Posted by Ryan on 28 Sep, 2015 01:15 AM
Yeah, I actually sort of figured that is how they worked. It just makes secure variables very insecure if something dumps them out, without the knowledge of the "the user". Because now their API key, or signing cert password is now in the build log for the world to see.
In my example, a ps script failed to load because of a typo, and all the values that were passed to it were dumped to the log in the exception message.
Support Staff 3 Posted by Feodor Fitsner on 28 Sep, 2015 01:20 AM
Right, you should be careful about exposing them. Once they exposed to the public update that sensitive information (password, tokens, keys, etc.)
The main protection mechanism for secure variables - they are not set for PR builds so people not having commit right to the repo can't list them.
Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:00 AM.