There seem to be a security issue in the Task log. In the attempt to mask sensitive variable in the task log every occurrence of a value in a sensitive variable is logged as ****. When the value in this sensitive variable happens to be a phrase used as part of a common word e.g. step names or package names then even step name and package name are partially masked in the log. This makes it very easy to see what the value in the sensitive variable is. You could argue that we then needed to have more “complex” sensitive values, but even so I think that things like step names and packages names should not be masked this way. No value in the log that is not produced by a deployment script or a bound field should be masked.
- Create a sensitive variable with the value “opus”
- Add a step in your process with the name “Octopus Deploy”
- Run a deployment and look at the task log
You will see that the step title will look like this:
Step X: Oct**** Deploy
Then it is impossible not to see that there is a sensitive variable in the system with the value “opus”