Forum Discussion

Heramb's avatar
Heramb
Occasional Contributor
2 years ago

System.Windows.Controls.PasswordBox - Clear Text password written to TestComplete log.

Hi, I am currently reviewing automation code for a WPF application. The WPF application has a login dialog box which contains System.Windows.Controls.PasswordBox as a password input box. The automation code is calling the SetText method to populate the control with password value. Unfortunately, this is resulting in the clear text password value being logged into the TestComplete log. The log record appears as following:

 

The text '<ClearTextPasswordValueSeenHere>' was entered in the text editor.

 

We are running this in an Azure pipeline and causing a serious problem for us as a wider set of users have access to the log. This is a security concern. Is there a way we can mask the password in the log? The log itself is absolutely essential for troubleshooting, especially when it is running in an Azure Pipeline. So disabling log is not a solution.

  • rraghvani's avatar
    rraghvani
    Champion Level 3

    You can create a Project Variable of type Password, which won't be shown when used. For example,

     

  • Heramb's avatar
    Heramb
    Occasional Contributor

    Thanks for the reply. We are using a project variable. I suspect that the particular project variable in your case is of type Password. We cannot use a Password variable as our credentials are coming from Azure Key Vault and those are passed on to TestComplete/TestExecute command line as clear text values through InstallTestCompleteAdapter pipeline task using cmdLineParams parameter. I think if there is a way to assign a clear text value to a password variable through script then we should be able to fix it.

    • Heramb's avatar
      Heramb
      Occasional Contributor

      As a separate point, it will be good to know where in the log file the command line is printed. That can become a security issue too with our current solution.

  • Heramb's avatar
    Heramb
    Occasional Contributor

    rraghvani , could you please confirm that the type of the variable Project.Variables.Var2 is Password and that's what is preventing its value from being printed to log?

     

    I can then think of how to make use of the Password variable. I have verified that passing clear text  (i.e. decrypted) password as command line project variable value does not work with /PrjVar switch. 

     

    It will be little bit tricky as we do not want to store the password values in the TestComplete project files. Our password value is coming from Azure Key Vault. 

  • Heramb's avatar
    Heramb
    Occasional Contributor

    rraghvani  my problem is solved by using a project variable of type Password. Thanks. I still have a concern because you mentioned that the command line is written to the log files. Please let me know where in the log file the command line is written. 

     

    Here is what we are doing.

     

    We have a Azure Pipeline to execute the test cases.

    The pipeline fetches the credentials of the AUT from Azure Key Vault.

    These credentials are passed to TestExecute command line using /PrjVar switch.

    Since there is no way to pass a Password type value on the command line, we have defined two project variables for AUT password. One variable is of type String and this is the one that receives the password value from command line. In the script, where we are populating the password in the AUT GUI, we first initialize the encrypted password variable with the value of decrypted password variable. i.e. something like this:

     

    Project.Variables.EncryptedPasswordVar = Project.Variables.DecryptedPasswordVar;

    passwordControl.SetText(Project.Variables.EncryptedPasswordVar);

     

    I am not sure how secure this solution is. At least now I am not seeing the password value in the log when I call SetText.

     

    It will be good if someone can review this and let us know if this is secure. 

  • Heramb's avatar
    Heramb
    Occasional Contributor

    Thanks a lot. I think the Password variables from TestComplete and the secret variables from Azure Pipelines together solve this problem.