From 8cb1f1c25e19e3fae2c390ed4eaf913b32375038 Mon Sep 17 00:00:00 2001 From: Mitch Denny Date: Wed, 21 Apr 2021 08:42:59 +1000 Subject: [PATCH] Emit encoded token as secret. --- eng/common/scripts/Add-RetentionLease.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index 570d448f709c..dd56c20a5531 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -26,6 +26,13 @@ $unencodedAuthToken = "nobody:$AccessToken" $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) +# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines +# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out +# before being transmitted to the server (and shown in logs). It means if the value is accidentally +# leaked anywhere else that it won't be visible. The downside is that when the script is executed +# on a local development box, it will be visible. +Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" + . (Join-Path $PSScriptRoot common.ps1) LogDebug "Checking for existing leases on run: $RunId"