List Variables not masking VSTS_HTTP_PROXY credentials

[jdshkolnik]

The documentation on deploying agents suggests using environment variables for storing proxy credentials. It mentions that "the agent keeps the credentials secret by masking them in job and diagnostic logs" but yours doesn't.

[jbramwell]

Correct. The VSTS-Tools List Variables task simply echoes the contents of all environment variables. This is no different than any other PowerShell-based task that you might add to a build definition (e.g. the PowerShell task that is available "out of the box"). While they are referred to as "secret" variables they are by no means secure.

I do have a quick question... If I modified the task to mask "secret" variables (not sure off hand exactly how I'd do that but let's assume that I can) does that make it better? Someone could simply add the PowerShell task to the build definition and list the contents with a simple PowerShell command and get them that way.

Thoughts?

[jdshkolnik]

I think masking secret variables would be worth doing because these logs are sometimes shared to others for debugging. There are many circumstances where someone can look at the logs yet not modify the definition.

Whether it'd help my original issue depends on where Microsoft put the logic for treating those environment variables as secret.

[jbramwell]

I will take a look and see what it takes to mask them from my task. If I'm able to determine that a particular variable is a "secret" variable (which I should be able to do since Microsoft is doing it) then I will mask it (I would likely make this an option on the task settings with it being set to "mask" by default).

I'm not sure of the logic that Microsoft uses to treat variables as secret. What I do know is that once a build starts running on an agent the contents of the secret variables are available to all running tasks (whether they're "out of the box" tasks or custom tasks, like mine).