Mask base64 values of secrets in pipeline logs

microsoft · Nov 4, 2024 · b31ab66 · b31ab66
1 parent 8452104
commit b31ab66
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/src/Agent.Worker/Worker.cs b/src/Agent.Worker/Worker.cs
@@ -174,6 +174,20 @@ private void InitializeSecretMasker(Pipelines.AgentJobRequestMessage message)
                     var escapedSecret2 = variable.Value.Value.Replace("\r", "%0D")
                                                              .Replace("\n", "%0A");
                     AddUserSuppliedSecret(escapedSecret2);
+                    // We need to mask the base 64 value of the secret as well
+                    var base64Secret = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(variable.Value.Value));
+                    // Add the base64 secret to the secret masker
+                    AddUserSuppliedSecret(base64Secret);
+                    // also, we escape some characters for variables when we print them out in debug mode. We need to
+                    // add the escaped version of these secrets as well
+                    var escapedSecret3 = base64Secret.Replace("%", "%AZP25")
+                                                     .Replace("\r", "%0D")
+                                                     .Replace("\n", "%0A");
+                    AddUserSuppliedSecret(escapedSecret3);
+                    // Since % escaping may be turned off, also mask a version escaped with just newlines
+                    var escapedSecret4 = base64Secret.Replace("\r", "%0D")
+                                                     .Replace("\n", "%0A");
+                    AddUserSuppliedSecret(escapedSecret4);
                 }
             }