Octopus Variable Password Value being splatted out in Deployment Process that makes no reference to the variable

binh.au · 7 June 2017 07:53

Hi,
Thought you should know there is a bug (I assume it’s a bug) in octopus where Octopus Variable Password Value is being splatted in Deployment Process.
e.g.
There is an octopus Variable call “App_Password” and the value is “TEST” . The Octopus Variable is define as sensitive.
When you run a deployment all reference of the word “TEST” is being replace with “******”.

The chance to have the actual password appear in your deployment step is generally low in a real deployment process. But as you know when you are testing a new deployment process then it is possible.

Regards
B.

ServerTasks-17106.log.txt (4 KB)

Doc6.docx (455 KB)

nick · 8 June 2017 01:50

Hello,

Thanks for getting in touch. We have seen this before, we feel it’s safest to keep the sensitive variable obfuscation mechanism (the ****s) as is, just in case someone did it by accident. The sensitive variable protection logic is broad in that regard it’s just looking for any possible output of sensitive data in the logs.

A workaround could be to just name your step differently. e.g. Step could be t e s t or t-e-s-t.

Regards,
Nick