ToolRunner is leaking the command line

[PavelBansky]

ToolRunner is leaking command line arguments into logs on the build machine.
This is not good, because we are passing urls with SAS token to cUrl executed by ToolRunner

EXECVE argc=5 a0="/bin/curl" a1="--location" a2=https://cXXXXXXX0.blob.core.windows.net/miXXXXXXXnt/codeql-cli/2.16.3/linux64.zip?sp=rli&st=2024-03-15T17:37:05Z&se=2024-10-16T01:37:05Z&spr=https&sv=2022-11-02&sr=c&sig=lPyj<REDACTED> a3="--output" a4="/mnt/vss/_work/_temp/coXXXXXX/distribution/linux64.zip"

This happens even if run in silent mode with all outputs redirected to null

const result = await runner.exec({silent: true, outStream: null, errStream: null} as IExecOptions);

[aleksandrlevochkin]

Hi @PavelBansky, thank you for reporting this issue, we'll start working on this soon

[ismayilov-ismayil]

Hi @PavelBansky
Please find the explanation below:

• The outStream is related to executed application (in this case 'curl') but not task itself
• If outStream is null it uses default process output handler

• The silent parameter is also related to executed application. It means in case of 'true' the output from application will be hidden

• The task arguments are written by 'debug' method of the task-lib. So, if you disable System.debug parameter in your pipeline you will not see args in the log.

• But if you want to hide args in any case, there are several options to do it. here is one of them:

1. Change your task which accepts input parameter, something like that:
   

2. Then add new variables to your pipeline with this name and mark it as secret:

This variable will be masked in the logs