Security issue in the Task log


There seem to be a security issue in the Task log. In the attempt to mask sensitive variable in the task log every occurrence of a value in a sensitive variable is logged as ****. When the value in this sensitive variable happens to be a phrase used as part of a common word e.g. step names or package names then even step name and package name are partially masked in the log. This makes it very easy to see what the value in the sensitive variable is. You could argue that we then needed to have more “complex” sensitive values, but even so I think that things like step names and packages names should not be masked this way. No value in the log that is not produced by a deployment script or a bound field should be masked.

To reproduce:

  • Create a sensitive variable with the value “opus”
  • Add a step in your process with the name “Octopus Deploy”
  • Run a deployment and look at the task log

You will see that the step title will look like this:
Step X: Oct**** Deploy

Then it is impossible not to see that there is a sensitive variable in the system with the value “opus”



Yes, this is a limitation of the variable masking, and we give a very similar example of the issue on this page:

What you say about “anything that isn’t produced from a script etc.” makes logical sense, but internally all messages are treated the same so it’s difficult to differentiate and apply this reasoning at the implementation level. As you pointed out, having more complicated passwords is probably the best course of action.



I suspected that it would be difficult to change this and I understand why you have implemented it the way it is.