{Image-copy} Mask the value of the --sas-token parameter when displaying it in the terminal

[yanzhudd]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

az image-copy

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull request overview

This PR implements security hardening for the az image-copy extension by masking sensitive SAS token values when they are displayed in terminal logs. The change prevents accidental exposure of SAS tokens in debug and error log messages.

Changes:

• Version bumped from 1.0.3 to 1.0.4
• Added _mask_output_token function to mask --sas-token parameter values with asterisks
• Integrated masking into all command logging paths (debug, error, and exception handlers)

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
setup.py	Version bump to 1.0.4
HISTORY.rst	Added release notes for version 1.0.4 documenting the security enhancement
cli_utils.py	Added _mask_output_token function and integrated it into all command logging statements to mask SAS token values

[Copilot]

This function has a potential IndexError bug. If --sas-token appears as the last element in the cmd list, accessing output[idx + 1] will raise an IndexError. Add a check to ensure idx + 1 is within bounds before attempting to mask the token value.

Suggested change

	output[idx + 1] = "******"
	if idx + 1 < len(output):
	output[idx + 1] = "******"

[Copilot]

The index() method only finds the first occurrence of --sas-token. If the parameter appears multiple times in the command (though unlikely), only the first occurrence will be masked. Consider using a loop or list comprehension to mask all occurrences for more robust security.

Suggested change

	if token_param_name in output:
	idx = output.index(token_param_name)
	output[idx + 1] = "******"
	for i, arg in enumerate(output):
	if arg == token_param_name and i + 1 < len(output):
	output[i + 1] = "******"

[Copilot]

The new _mask_output_token function lacks unit test coverage. Given that this is a security-related function responsible for masking sensitive SAS tokens in logs, it should have unit tests to verify correct behavior including edge cases like when --sas-token is at the end of the list, when it's missing, or when it appears multiple times.

[azclibot]

[Release] Update index.json for extension [ image-copy-1.0.4 ] : https://dev.azure.com/msazure/One/_build/results?buildId=149006246&view=results