Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AzureKeyVaultV1 does not properly handle secrets containing certain reserved values (%3B, %0D, %0A, and %5D) #14610

Closed
sivetic opened this issue Mar 17, 2021 · 1 comment
Closed

AzureKeyVaultV1 does not properly handle secrets containing certain reserved values (%3B, %0D, %0A, and %5D) #14610

sivetic opened this issue Mar 17, 2021 · 1 comment
Assignees
@tauhid621 @thesattiraju
Labels
Area: Release

Comments

@sivetic
Copy link

sivetic commented Mar 17, 2021

Required Information

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzureKeyVault

Environment

  • Server - Azure Pipelines

    • If using Azure Pipelines, provide the account name, team project name, build definition name/build number:
      account name - VarianCloud
      project name - CorePlatform
      build definition name - Sasa Test
      buildid - 10033

  • Agent - Hosted

Issue Description

I believe issue I'm running into is related to percent encoding (https://github.com/microsoft/azure-pipelines-agent/blob/master/docs/design/percentEncoding.md). If a Key Vault secret value contains a reserved value (%3B, %0D, %0A, %5D), AzureKeyVault task does not properly set the secret value in variable. Attempting to use the value subsequently results in an incorrect value, and task failure.

Here is a sample value from a local development build (secret value below is not used for anything):

Secret Value in Azure Key Vault (manually retrieved): %0AMc2EnC!%l!5mcff2thP9gxB9Fz%0vYYM%

Using Azure Key Vault task to retrieve the secret:

2021-03-17T18:20:36.7902121Z ##[section]Starting: Azure Key Vault: <snip>
2021-03-17T18:20:36.8066010Z ==============================================================================
2021-03-17T18:20:36.8066398Z Task         : Azure Key Vault
2021-03-17T18:20:36.8066719Z Description  : Download Azure Key Vault secrets
2021-03-17T18:20:36.8066995Z Version      : 1.182.1
2021-03-17T18:20:36.8067285Z Author       : Microsoft Corporation
2021-03-17T18:20:36.8067678Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2021-03-17T18:20:36.8068085Z ==============================================================================
2021-03-17T18:20:37.1633546Z SubscriptionId: <snip>.
2021-03-17T18:20:37.1635115Z Key vault name: <snip>.
2021-03-17T18:20:37.1654078Z Downloading secret value for: permissionApiClientSecret.
2021-03-17T18:20:37.8890665Z ##[section]Finishing: Azure Key Vault: <snip>

PowerShell task to print secret as Base64 encoded value, so it does not get masked:

[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$(permissionApiClientSecret)"))

And output of task
:

2021-03-17T18:20:43.3119612Z DQAKAE0AYwAyAEUAbgBDACEAJQBsACEANQBtAGMAZgBmADIAdABoAFAAOQBnAHgAQgA5AEYAegAlADAAdgBZAFkATQAlAA==
2021-03-17T18:20:44.1229945Z ##[section]Finishing: PowerShell Script

Which decodes to below - notice the missing %0A at beginning and an empty line:


Mc2EnC!%l!5mcff2thP9gxB9Fz%0vYYM%

Task logs

(see logs above)

Troubleshooting

n/a

Error logs

n/a
@sivetic sivetic mentioned this issue Mar 26, 2021
Closed
@tauhid621 tauhid621 mentioned this issue Apr 14, 2021
Merged
2 tasks
@tauhid621
Copy link
Contributor

Closing this as V2 of this task is being rolled out which fixes the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tauhid621 tauhid621

@thesattiraju thesattiraju

Labels
Area: Release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sivetic @chshrikh @tauhid621 @thesattiraju