From b31ab662285d2ca35045e2bd15279f1c2f744f71 Mon Sep 17 00:00:00 2001
From: Mantavya Dhingra <mdhingra@microsoft.com>
Date: Mon, 4 Nov 2024 19:40:44 +0530
Subject: [PATCH] Mask base64 values of secrets in pipeline logs

---
 src/Agent.Worker/Worker.cs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/Agent.Worker/Worker.cs b/src/Agent.Worker/Worker.cs
index cef1e00b46..a0fed0475f 100644
--- a/src/Agent.Worker/Worker.cs
+++ b/src/Agent.Worker/Worker.cs
@@ -174,6 +174,20 @@ private void InitializeSecretMasker(Pipelines.AgentJobRequestMessage message)
                     var escapedSecret2 = variable.Value.Value.Replace("\r", "%0D")
                                                              .Replace("\n", "%0A");
                     AddUserSuppliedSecret(escapedSecret2);
+                    // We need to mask the base 64 value of the secret as well
+                    var base64Secret = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(variable.Value.Value));
+                    // Add the base64 secret to the secret masker
+                    AddUserSuppliedSecret(base64Secret);
+                    // also, we escape some characters for variables when we print them out in debug mode. We need to
+                    // add the escaped version of these secrets as well
+                    var escapedSecret3 = base64Secret.Replace("%", "%AZP25")
+                                                     .Replace("\r", "%0D")
+                                                     .Replace("\n", "%0A");
+                    AddUserSuppliedSecret(escapedSecret3);
+                    // Since % escaping may be turned off, also mask a version escaped with just newlines
+                    var escapedSecret4 = base64Secret.Replace("\r", "%0D")
+                                                     .Replace("\n", "%0A");
+                    AddUserSuppliedSecret(escapedSecret4);
                 }
             }