Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement AZP_IGNORE_SECRETS_SHORTER_THAN knob #4073

Merged
merged 31 commits into from Dec 6, 2022
Merged

Implement AZP_IGNORE_SECRETS_SHORTER_THAN knob #4073

merged 31 commits into from Dec 6, 2022

Conversation

KonstantinTyukalov
Copy link
Contributor

@KonstantinTyukalov KonstantinTyukalov commented Nov 30, 2022
edited

Description: Implemented agent knob which allows to skip short secrets by setting min secret length of each secret.

Note that maximum length of secrets filter is 4

Changelog:

  • Add AZP_IGNORE_SECRETS_SHORTER_THAN knob
  • Updated vss-api-netcore to 0.5.181
  • Update LoggedSecretMasker
  • Added unit tests
  • Some formatting
  • Temporarily disabled removing of .pdb files from build
  • Fixed api conflicts in VssAadToken and VssClientCredentials

Added unit tests:

  • Yes

Attached related issue:

Previous PR - #3962

Checklist:

  • There are no risky dependency updates
  • Changes have been tested

KonstantinTyukalov and others added 25 commits August 26, 2022 15:36
@KonstantinTyukalov
Move _secretMasker init to constructor
21db1c5
@KonstantinTyukalov
Add MaskedSecretMinLength knob to list
7b52049
@KonstantinTyukalov
Formatting
5a97549
@KonstantinTyukalov
Update LoggedSecretMasker to match masking library
f91da97
@KonstantinTyukalov
Implement remove short secrets from dict on job init
7bac73b
@KonstantinTyukalov
Add unit tests
6b25952
@KonstantinTyukalov
Edit comment about _maxMinSecretLength
f651b1a
@KonstantinTyukalov
Merge branch 'master' of https://github.com/microsoft/azure-pipelines…
0a67289 
…-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@KonstantinTyukalov
Bump vss-api-netcore to 0.5.181
441392d
@KonstantinTyukalov
Temporarily Disable NU1605 rule
cc23a0a
@KonstantinTyukalov
Bump System.Security.Cryptography.ProtectedData to 4.5.0 on Microsoft…
6aa29c8 
….VisualStudio.Services.Agent.csproj
@KonstantinTyukalov
Fix new VssCredentials VssAadCredential conflicts
b889882
@DenisRumyantsev
Merge branch 'master' into users/KonstantinTyukalov/Implement_min_sec…
23f3903 
…rets_len_knob
@KonstantinTyukalov
Fix review points
5a935cc
@KonstantinTyukalov
Merge branch 'users/KonstantinTyukalov/Implement_min_secrets_len_knob…
883d2e4 
…' of https://github.com/microsoft/azure-pipelines-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@KonstantinTyukalov
Reform AgentCredentionL0
92d9d87
@kirill-ivlev
Merge branch 'master' into users/KonstantinTyukalov/Implement_min_sec…
5421d48 
…rets_len_knob
@KonstantinTyukalov
Add test for negative values
ed5eec3
@KonstantinTyukalov
Merge branch 'master' of https://github.com/microsoft/azure-pipelines…
f8c9b05 
…-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@Roman-Shchukin
Removed unnecessary lib reference
fd224ef
@KonstantinTyukalov
Merge branch 'master' of https://github.com/microsoft/azure-pipelines…
081dec0 
…-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@Roman-Shchukin
Fixed issue with ProtectedData versions
e2ee94f
@Roman-Shchukin
Merge branch 'users/KonstantinTyukalov/Implement_min_secrets_len_knob…
303ee9e 
…' of github.com:microsoft/azure-pipelines-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@Roman-Shchukin
Removed deleting of pdb files. BuildXLNatives.dll in BuildXL.Utilitie…
304cbdc 
…s package version 0.1.0-20220517.1.1 contains pdb and application doesn't run without it
@KonstantinTyukalov
Merge branch 'master' of https://github.com/microsoft/azure-pipelines…
1cc05b3 
…-agent into users/KonstantinTyukalov/Implement_min_secrets_len_knob
@KonstantinTyukalov KonstantinTyukalov changed the title Implement AGENT_MIN_SECRET_LENGTH knob Implement AZP_IGNORE_SECRETS_SHORTER_THAN knob Nov 30, 2022
@StingyJack
Copy link

StingyJack commented Dec 1, 2022
edited

@KonstantinTyukalov please be sure that the solution is not going to be worse than the original problem. Nobody asked for secrets to be unmasked - that is worse than the problem reported where we can guess the secret values.

What if I made a build pipeline that used secrets I am not supposed to know and set the knob to 1000? I'm going to see all of the things I'm not supposed to see.

Also make sure its a feasible and reasonable suggestion. This proposal will require my org to put a variable into like 4K build pipelines. We should have to do nothing and change nothing - no knobulation should be required to have secrets masked appropriately. It just needs to work properly.

I know this is not an easy ask but its possible and there really are no shortcuts that are OK when it comes to security and diagnostics. I dont normally comment on another org's PR's but it doesnt look like you are incorporating what is said in the issue thread or the dev comm issues into these solutions, and any potential reviewer needs to understand that

@StingyJack
Copy link

@kirill-ivlev please take note of the comment above. This does not solve the problem and actually makes the problem worse.

@KonstantinTyukalov KonstantinTyukalov merged commit 4debafc into master Dec 6, 2022
@kirill-ivlev
Copy link
Contributor

@StingyJack
thank you for your input, regarding long secrets we limited this knob to a maximum value of 4 characters.
For now, it should resolve cases when short secrets might leak from the logs.
We will check the other ways of resolving it in a more elegant way in the future.

LiliaSabitova added a commit that referenced this pull request Jan 6, 2023
@LiliaSabitova
Revert "Implement AZP_IGNORE_SECRETS_SHORTER_THAN knob (#4073)"
9380180 
This reverts commit 4debafc.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DenisRumyantsev DenisRumyantsev DenisRumyantsev approved these changes

@wojgasior wojgasior wojgasior approved these changes

@kirill-ivlev kirill-ivlev kirill-ivlev approved these changes

@LiliaSabitova LiliaSabitova LiliaSabitova approved these changes

@Roman-Shchukin Roman-Shchukin Roman-Shchukin approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@KonstantinTyukalov @StingyJack @kirill-ivlev @DenisRumyantsev @wojgasior @LiliaSabitova @Roman-Shchukin