Skip to content

Order masked values by length to prevent longer values being partially revealed

Arran Walkerrequested to merge
27861-duplicate-masked-variables into master

What does this MR do?

Order masked values by length: longest -> shortest

Why was this MR needed?

This prevents short values being replaced first that potentially reveal parts of longer secrets.

For example, masking: mask and prefix_mask in the string prefix_mask would result in prefix_[MASKED]. By ordering by length, we ensure we mask the prefix_mask first.

What's the best way to test this MR?

The unit test TestVariablesMasking has been updated with a few variants of this problem that will all fail if values are not sorted correctly.

What are the relevant issue numbers?

Closes #27861 (closed)

Merge request reports