Azure-pipelines-tasks: Secrets can be extracted in agent job with couple of lines of PowerShell code

Yes. It's still encrypted at rest, and if you specify it as a secret variable, Pipelines will attempt to mask it in output if possible.

You very specifically made an action to get at it. It doesn't show by default.

https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch

This is related to secrets in job/agent - passing onto core team.

Please can you say how to do this, I am unable to find a passed variable and need to actually debug how to find that variable and having a list of them would be great

@craigmpeters
Just somewhere in your script do:
Get-Variable | ft | out-string
or
$env | ft | out-string

To get a summary of related variables. If you're debugging though, you really should read the section about debugging powershell using the azure functions core tools, you can set breakpoints and all taht fun stuff.

Cheers - Managed to work it out using Parameters into the script itself but might use this to see if it is there and I can streamline things a bit

Sorry for the delay, I have included a sample script below that gets the secrets and writes them out so you can see them in the task log.

$m = Get-Module 'VstsTaskSdk' 
$stuff= $m.SessionState.PSVariable.Get("vault").Value

$taskVariables=@{}

$stuff.GetEnumerator() | % {
        $info =$_.Value.GetNetworkCredential()
        $taskVariables.Add($info.UserName, $info.Password)
    } 
$taskVariables | Out-Host

One solution would be to add the code below in to the task however I am not really sure this is the "Right" way to address the problem (Mainly because it assumes something about the internal implementation of the SDK)

Perhaps the SDK should be updated so that it has public function that can be called to clear all stored secrets? This will address the issue for any DevOps takss that use the updated SDK code, not sure about tasks that don't use the updatd SDK. Might need a little thought and ideas from a few people however my initial sense is that it won't be an issue.

    # Clear values from VstsTaskSdk variable vault before invoking the script to prevent 
    # people fishing for credentials
    Get-Module 'VstsTaskSdk' | ForEach-Object {
        $sdkVariableVault = $_.SessionState.PSVariable.GetValue('vault') -as [System.Collections.IDictionary]
        if ($sdkVariableVault) {
           $sdkVariableVault.Clear()
        }
    }

Task | File | Line
------|-----|-----
AzurePowerShellV2 | AzurePowerShell.ps1 | 102
AzurePowerShellV3 | AzurePowerShell.ps1 | 105
AzurePowerShellV3 | AzurePowerShell.ps1 | 84
ServiceFabricPowerShellV1 | ServiceFabricPowerShell.ps1 | 71

This is working as designed. Secrets are meant only to mask exact matches - e.g. if you mask abc, the following output:

abc
helloabcworld
a
bc
adbc

should result in:

*****
hello*****world
a
bc
adbc

If people are able to arbitrarily run a script, they can just arbitrarily manibulate/send the secret anyways, at that point our security boundary has already been crossed. Closing since I don't think this is an issue, please comment if you think it should be reopened.