AWSAccount variables - Secretkey easily exposed

security

(rohin.mcdermott) #1

Hi Guys. We have been using the AWS Accounts feature for a few weeks and I found something that I didn’t think should be possible.

I have a script step for exposing project variables before production deploys so we can confirm all is well (I hope to retire it when the variable preview can handle nested variable set vars). When this step displays a sensitive variable value it shows “*******” but when it shows AWSCredential.Secretkey the value is not masked.

I have an account variable on the project called ‘AWSCredential’ and a sensitive variable called ‘testSensitiveVar’ this is what is output:

And this is the content of myscript step:

$releaseEnv     = $OctopusParameters['Octopus.Environment.Name']
$releaseNumber  = $OctopusParameters['Octopus.Release.Number']
$machineName    = $OctopusParameters['Octopus.Machine.Name']
$projectName    = $OctopusParameters['Octopus.Project.Name']
$tempFile       = [System.IO.Path]::GetTempFileName()
$artifactName   = $releaseEnv + '-' + $projectName + '-' + $releaseNumber + '-' + $machineName + '.csv'

$OctoVarArray = $OctopusParameters.Keys | ForEach-Object {
    $varName = $PSItem
    [PSCustomObject]@{
        'VariableName'  = $varName
        'VariableValue' = $OctopusParameters[$varName]
        'VariableType'  = Switch -Wildcard ($varName) {
        	"Octopus.*" {'System'}
            "env:*"     {'Environment'}
            default     {'Application'}
		}
    }
} | Sort-Object VariableType,VariableName
$OctoVarArray | Export-Csv -Path $tempFile -NoTypeInformation
New-OctopusArtifact -Path $tempFile -Name $artifactname
$vardata = $OctoVarArray.Where({$PSItem.VariableType -eq 'Application'}) | Select-Object VariableName,VariableValue
#Set-OctopusVariable -Name "DeploymentVariables" -value "$($vardata | ConvertTo-JSON)"
Write-Output $vardata

(Michael Noonan) #3

Hi Rohin,

Thanks for getting in touch! I’m sorry about the delay responding. We’ve been trying to reproduce the behaviour, but haven’t been able to yet. I’ll try again tomorrow.

If you have the time/capacity, could you find the raw Account data in the SQL Database (in the Accounts table) and send a copy of that to support@octopus.com along with a link to this thread?

Please check before you send it that there are no sensitive values in clear text. If the sensitive data is encrypted as expected, and you send it to us that’s OK, even we won’t be able to decrypt it without your master key.

In the meantime, as a replacement for your script, there are potentially two built-in features you could use:

  1. In the Project > Variables tab there is now a Preview feature: https://octopus.com/blog/octopus-release-2018.3#deployment-variable-preview
  2. Octopus can write the run-time values as each step begins: https://octopus.com/docs/support/debug-problems-with-octopus-variables

Hope that helps!
Mike