Censoring password in variables goes wrong

unknown
reliability
server
(Kamil B) #1

We have one password (somewhere) which is also widely used as a prefix for our variables and component names. We found that this string is then censored in at least two places.

  • In task logs every time this word is censored even if it’s not a password - I think it’s not a big deal, because I can imagine that someone can put the password as an output there
  • In variable preview - it makes our variable preview unusable because of ***** in many places

(Paul Calvert) #3

Hi @Kamil_B,

Thanks for getting in touch!

I’ve run some quick testing on this on our latest version without being able to replicate it.
Would you be able to confirm what version of Octopus Server you are running on currently?
Also, could you replicate this problem at your side with some values that you are comfortable sharing? This information will enable me to test the same way.

Best regards,
Paul

(Kamil B) #4

Hi Paul,
I’m using 2019.10.1 and I need to add a note here: I was mistaken, it works only (I guess) for project variables.

Steps:
In project add variables: test_variable:“Supersecret_Variable” and test_sensitive_variable: “Secret” with type sensitive


In preview it will give that:
image

Sorry for confusion again, I haven’t checked whether this values come from variable set, or project.

(Paul Calvert) #5

Hi @Kamil_B,

Thanks for clarifying that, I’d missed the part about it being in the Variable Preview screen.
I’ve now replicated that in both areas you’ve reported and raised an issue for our engineers to investigate further.

Regards,
Paul

(Kamil B) #6

Thank you @paul.calvert!

1 Like