{Image-copy} Mask the value of the --sas-token parameter when displaying it in the terminal#9516
Conversation
️✔️Azure CLI Extensions Breaking Change Test
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
yonzhan and
zhoxing-ms
|
There was a problem hiding this comment.
Pull request overview
This PR implements security hardening for the az image-copy extension by masking sensitive SAS token values when they are displayed in terminal logs. The change prevents accidental exposure of SAS tokens in debug and error log messages.
Changes:
- Version bumped from 1.0.3 to 1.0.4
- Added
_mask_output_tokenfunction to mask--sas-tokenparameter values with asterisks - Integrated masking into all command logging paths (debug, error, and exception handlers)
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| setup.py | Version bump to 1.0.4 |
| HISTORY.rst | Added release notes for version 1.0.4 documenting the security enhancement |
| cli_utils.py | Added _mask_output_token function and integrated it into all command logging statements to mask SAS token values |
| token_param_name = "--sas-token" | ||
| if token_param_name in output: | ||
| idx = output.index(token_param_name) | ||
| output[idx + 1] = "******" |
There was a problem hiding this comment.
This function has a potential IndexError bug. If --sas-token appears as the last element in the cmd list, accessing output[idx + 1] will raise an IndexError. Add a check to ensure idx + 1 is within bounds before attempting to mask the token value.
| output[idx + 1] = "******" | |
| if idx + 1 < len(output): | |
| output[idx + 1] = "******" |
| if token_param_name in output: | ||
| idx = output.index(token_param_name) | ||
| output[idx + 1] = "******" |
There was a problem hiding this comment.
The index() method only finds the first occurrence of --sas-token. If the parameter appears multiple times in the command (though unlikely), only the first occurrence will be masked. Consider using a loop or list comprehension to mask all occurrences for more robust security.
| if token_param_name in output: | |
| idx = output.index(token_param_name) | |
| output[idx + 1] = "******" | |
| for i, arg in enumerate(output): | |
| if arg == token_param_name and i + 1 < len(output): | |
| output[i + 1] = "******" |
| def _mask_output_token(cmd): | ||
| output = cmd[:] | ||
| token_param_name = "--sas-token" | ||
| if token_param_name in output: | ||
| idx = output.index(token_param_name) | ||
| output[idx + 1] = "******" | ||
|
|
||
| return output |
There was a problem hiding this comment.
The new _mask_output_token function lacks unit test coverage. Given that this is a security-related function responsible for masking sensitive SAS tokens in logs, it should have unit tests to verify correct behavior including edge cases like when --sas-token is at the end of the list, when it's missing, or when it appears multiple times.
|
[Release] Update index.json for extension [ image-copy-1.0.4 ] : https://dev.azure.com/msazure/One/_build/results?buildId=149006246&view=results |
4 participants
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
az image-copyGeneral Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.