Whenever Drone sees text that matches a secret, it masks it with ****. This can lead to secrets being indirectly exposed, as in the following command:
…which ends up in the log as:
…because I have a TERRAFORM_DB_USER secret whose value is
While this is a simple example, it will mask any text that matches a secret, and various commands like this expose the fact that there is a secret with the value of any masked data. I’ve seen this manifest in scenarios that actually expose passwords. Granted, they were poorly-chosen passwords, but it still exposes information.
With no masking at all, my logs don’t expose any secrets; everything secret is in environment variables, and their values aren’t printed. But with masking, despite my own precautions, some information has leaked.
In an extreme case, this could be used to launch a dictionary attack, if one could introduce the dictionary into the log output as a side-effect of some other action (say the build displays the contents of a remote file or some other external resource that an attacker has access to).
In practice, this doesn’t concern me, but it’s worth thinking about. In my example, I’d be better off if Drone didn’t try to hide the secrets at all.