Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Azure SQL Database Deployment Task `Active Directory - Password` Bug

See original GitHub issue

Required Information

Type: Bug

Enter Task Name: Azure SQL Database Deployment Task

Environment

Server - Azure Pipelines Hosted windows-2019

Issue Description

When using the Azure SQL Database Deployment task with the Active Directory - Password Authentication Type, the task will not complete if there is a dollar sign ($) in the password.

This issue is similar but ultimately different than the issue reported here: #12012

Steps to Reproduce

Create an Active Directory user with a dollar sign ($) in password
Create another Active Directory user with no special chars in password
Grant permissions to both accounts to Azure SQL Server
Create Azure SQL Database Deployment Task
Select Active Directory - Password Authentication Type
Test Both user accounts with Task
Observe failure when user with dollar sign ($) in password is used

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:12 (4 by maintainers)

Top GitHub Comments

2reactions

ShawnMcGoughcommented, Aug 21, 2020

I went ahead and looked into the source code. I’ve discovered that the password is not being escaped for all authentication methods. The password is only escaped (on line 260) when authentication type is server: https://github.com/microsoft/azure-pipelines-tasks/blob/c763c141845d8f8a9eae9571c9df8c63f5a44dd7/Tasks/SqlAzureDacpacDeploymentV1/SqlAzureActions.ps1#L253-L260

When authentication type is aadAuthenticationPassword or aadAuthenticationIntegrated, the Get-AADAuthenticationConnectionString function is called: https://github.com/microsoft/azure-pipelines-tasks/blob/c763c141845d8f8a9eae9571c9df8c63f5a44dd7/Tasks/SqlAzureDacpacDeploymentV1/SqlAzureActions.ps1#L277-L282

The Get-AADAuthenticationConnectionString function builds the connection string without escaping password - allowing for special chars to be in the connection string: https://github.com/microsoft/azure-pipelines-tasks/blob/961d90a3b8d4390ea62066ff601a0c3fbc8ea538/Tasks/SqlAzureDacpacDeploymentV1/Utility.ps1#L249-L251

Probable Solution:

Ensure the password is escaped for all authentication types by using EscapeSpecialChars function at the top of the function. This can be achieved by moving line 260 to line 252, above if statement.

https://github.com/microsoft/azure-pipelines-tasks/blob/c763c141845d8f8a9eae9571c9df8c63f5a44dd7/Tasks/SqlAzureDacpacDeploymentV1/SqlAzureActions.ps1#L252-L261

I’m not in a position to test this myself but hopefully this can jump-start a fix for this issue.

1reaction

arek-avanadecommented, Aug 21, 2020

@AmrutaKawade I don’t think this resolves the issue. I should not care how this task is implemented under the hood - if it’s Powershell, Python or anything else. It’s not possible to escape all possible special characters in all languages. This should be fixed in the Task itself.