I need to escape special characters of a password in a YAML file of an Azure DevOps pipeline. The password is part of the connection string of a (Oracle) database connection. It is thus stored as a secret within the pipeline variables.
The password is used in a PowerShell@2 task which creates an argument string for a Windows Batch script.
I know how to escape the password for use in YAML but it doesn't seem to work in the combination with the arg-list for the Batch script. Obviously I cannot post the password, but here is an example string with all characters that I have figured out as problematic:
aa<a$\a#a$aa!a
For the use in YAML PowerShell@2 tasks I supply the password string as (note the backtick for the 2nd $ sign):
aa<a$\a#a`$aa!a
YAML file snippet of the pipeline:
variables:
db_pw: $(database_password)
jobs:
- job: Job_1
displayName: Agent job
[...]
- task: PowerShell@2
displayName: Run Tests and Code Coverage
inputs:
targetType: 'inline'
script: |
$db_user = 'my_user'
$db_conn = 'my_host'
$argstr = @("run $db_user/$(db_pw)@$db_conn", [...])
$cmdPath = (Get-Command my_script.bat).Source
Start-Process -FilePath $cmdPath -ArgumentList $argstr -Wait -NoNewWindow
[...]
Results in this error:
The filename, directory name, or volume label syntax is incorrect.
Things I have tried:
<, #, !, \) with appropriate escape characters$ sign(s)Using inline scripts in Azure DevOps tasks means you are generating the body of the script to be executed, so everything in it must be properly escaped.
The workaround is not setting the password directly in the script.
Set an environment variables at the task level instead of directly using a pipeline variable:
Example:
jobs:
- job: Job_1
displayName: Agent job
[...]
- task: PowerShell@2
displayName: Run Tests and Code Coverage
inputs:
targetType: 'inline'
script: |
# ...
$argstr = @("run $db_user/${Env:myDbPassword}@$db_conn", [...])
# ...
env:
myDbPassword: $(database_password) # <------------------ Environment variable set here