Sensitive variable values in bash - expected behaviour?

jimmyw · 5 October 2016 05:56

Hi,

Before I post the full details of what I’m seeing, can I confirm that when a bash script is executed on a linux server, it should be possible to obtain the value of a sensitive variable via:
get_octopusvariable “the_variable_name”

E.g., given an in-scope, sensitive variable named “qwerty” with value “uiop”,
and a script that has:
value=get_octopusvariable "qwerty"
echo “variable length: ${#value}”

should output:
variable length: 4

I use the length as an example because I understand the value is normally masked by some other masking process.

MarkSiedle · 6 October 2016 05:59

Hi Jimmy,

Thanks for getting in touch.

I can confirm that this is intended behaviour. It was implemented to avoid untended data masking. eg. When you have values less than 4 characters, other data that matched these values was being masked unintentionally, rendering the logs unreadable, so Octopus only masks sensitive values greater than or equal to 4 characters. See https://github.com/OctopusDeploy/Issues/issues/1155.

Hope this helps
Mark