System.Windows.Controls.PasswordBox - Clear Text password written to TestComplete log.

Question

Hi, I am currently reviewing automation code for a WPF application. The WPF application has a login dialog box which contains System.Windows.Controls.PasswordBox as a password input box. The automation code is calling the SetText method to populate the control with password value. Unfortunately, this is resulting in the clear text password value being logged into the TestComplete log. The log record appears as following:

The text '<ClearTextPasswordValueSeenHere>' was entered in the text editor.

We are running this in an Azure pipeline and causing a serious problem for us as a wider set of users have access to the log. This is a security concern. Is there a way we can mask the password in the log? The log itself is absolutely essential for troubleshooting, especially when it is running in an Azure Pipeline. So disabling log is not a solution.

rraghvani · Accepted Answer

Try to searh for "PrjVar" in your Azure log, this might reveal the command line used to execute your tests.

If you can't find anything, then great!

Have you read through, https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash ?

rraghvani · Answer

You can create a Project Variable of type Password, which won't be shown when used. For example,&nbsp;

heramb · Answer

Thanks for the reply. We are using a project variable. I suspect that the particular project variable in your case is of type Password. We cannot use a Password variable as our credentials are coming from Azure Key Vault and those are passed on to TestComplete/TestExecute command line as clear text values through&nbsp;InstallTestCompleteAdapter pipeline task using&nbsp;cmdLineParams parameter. I think if there is a way to assign a clear text value to a password variable through script then we should be able to fix it.

rraghvani · Answer

Ah ok. What about doing,&nbsp;Passing Variables via Command Line?&nbsp;The only other issue is, someone can look at the Azure log file to see the command being called, with the parameter values being passed

heramb · Answer

rraghvani&nbsp;, could you please confirm that the type of the variable Project.Variables.Var2 is Password and that's what is preventing its value from being printed to log?&nbsp;I can then think of how to make use of the Password variable. I have verified that passing clear text&nbsp; (i.e. decrypted) password as command line project variable value does not work with /PrjVar switch.&nbsp;&nbsp;It will be little bit tricky as we do not want to store the password values in the TestComplete project files. Our password value is coming from Azure Key Vault.&nbsp;

heramb · Answer

As a separate point, it will be good to know where in the log file the command line is printed. That can become a security issue too with our current solution.

Forum Discussion

System.Windows.Controls.PasswordBox - Clear Text password written to TestComplete log.

9 Replies

Related Content

password reset

Password reset

TestComplete 14 -Unable to Enter Username & Password

Password Variable not passing the password

TestComplete with Zephyr Scale

Recent Discussions

Inspecting a DotNetBrowser Chromium control

Dynamic Object

Pulling in Dynamic Links from a web page

Multiple execution of a test plan with different values from an Excel table

Your thoughts about a REST API in TestComplete