Secure Logging in MSBuild


One of the great features of MSBuild is the way you can easily get it to log EVERYTHING to disk so that when things go wrong, you have  a pretty good idea of what happened. The problem with this is that it logs EVERYTHING to disk, including most likely some very sensitive information like passwords.

Take the following simplified example:

<Project ToolsVersion=”4.0″ DefaultTargets=”Default” xmlns=”http://schemas.microsoft.com/developer/msbuild/2003″>
    <Target Name=”Default”>
        <Message Text=”Admin Password: $(AdminPassword)”/>
    </Target>
</Project>

Running that sample using the following:

msbuild SecureFileLogger.proj /p:AdminPassowrd=Mike /l:FileLogger,Microsoft.Build.Engine

Results in:

Build started 27/05/2010 21:21:14.
__________________________________________________
Project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj” (default targets):

Target Default:
    Admin Password: Mike

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:00.04

Anyone opening the log file will see sensitive information.

This is a simple example, however you may have no power over what external tasks log to the output stream. This is where the SecureFileLogger provided in the MSBuild Extension Pack 4.0.0.0 steps in.

Running the same sample using:

msbuild SecureFileLogger.proj /p:AdminPassword=Mike /l:SecureFileLogger,MSBuild.ExtensionPack.Loggers.dll

Results in:

Build started. 05/27/2010 21:29:08
__________________________________________________
Project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj” (default target(s)):

Target Default:
    #################
Done building target “Default” in project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj”
Done building project “SecureFileLogger.proj”.
Build succeeded.
0 Warning(s)
0 Error(s)

Time Elapsed 00:00:00.0460027

By default the task will mask any messages that have the word ‘password’ in them, however it provides the ability to specify any number of Regular Expressions to control the masking of logged output. Here is the full API

Syntax:

/l:SecureFileLogger,MSBuild.ExtensionPack.Loggers.dll;logfile=YOURLOGFILE;rulefile=YOURRULEFILE;append=BOOL;

verbosity=YOURVERBOSITY;encoding=YOURENCODING

Parameters:

Logfile: A optional parameter that specifies the file in which to store the log information. Defaults to securemsbuild.log

RuleFile: A optional parameter that specifies the file in which to read regular expressions from. Use one Regular Expression per line. Defaults to (?i:.*password.*)

Append: An optional boolean parameter that indicates whether or not to append the log to the specified file: true to add the log to the text already present in the file; false to overwrite the contents of the file. The default is false.

Verbosity: An optional parameter that overrides the global verbosity setting for this file logger only. This enables you to log to several loggers, each with a different verbosity.

Encoding: An optional parameter that specifies the encoding for the file, for example, UTF-8.

Additional loggers involving encryption are being worked on, however this logger may provide you with suitable security now.

Mike

One thought on “Secure Logging in MSBuild

  1. Pingback: Dew Drop – May 28, 2010 | Alvin Ashcraft's Morning Dew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s