The documentation states:
Assign Hidden: The system assigns the variable, but hides the value in the logs, showing it as "*****". Use this option when you are including a password or other sensitive information in a variable. Example: you need to include password information in an _MAP variable in order to map a drive. You want to hide the password from users who run the project.
The system normally changes the syntax of a variable in a command line to the appropriate form for your operating system (%VAR% for Windows®, $VAR for Linux® and UNIX® systems). It does not do this for a hidden variable. The variable is passed directly to the server and the operating system environment of the server interprets the variable.
This is NOT true if using a hidden variable in an Adaptor and sending it as a parameter in a run command tag. The preparsing message shows the hidden variable in plaintext.
This seems to be a HUGE security issue if using hidden variables is recommended for passwords or other sensitive information. Can this get fixed? Anyone have ways around this?
State of Minnesota
This topic has been locked.
1 reply Latest Post - 2010-11-10T22:02:20Z by RobertHaig
Pinned topic Hidden Variables Exposed in Log when used in Adaptors
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2010-11-10T22:02:20Z at 2010-11-10T22:02:20Z by RobertHaig
RobertHaig 270000EJPR55 PostsACCEPTED ANSWER
Re: Hidden Variables Exposed in Log when used in Adaptors2010-11-10T22:02:20Z in response to artLThis is still the behavior in the 7.1.2 release stream. This won't be addressed in the 7.1.x releases.
As for a creative way around it, I'd suggest putting those types of variables in an environment group applied at the server level (which makes more sense for an _MAP var anyway). If you do that, you can put a different selector on your adaptor link step so that it doesn't expose those variables.
The other way to mitigate exposure is to set a different access level for your adaptor link steps so that your average user cannot see the step log output for that step.