Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 1
    • Issues 1
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #13784
Closed
Open
Issue created Feb 25, 2016 by Artem Sidorenko@artem-sidorenkoContributor

Simple masking of protected variables in logs

Problem to Solve

A user may accidently leak a protected variable

Additional Information

In Scope

  • For protected variables, also mask them in the job log like we do today for CI_JOB_TOKEN
  • Normal variables are able to get masked as well and do not have to be protected as well
  • Only variables that match certain requirements will be eligible to be masked
    1. The secret itself should be a single line,
    2. The secret should not have escape characters,
    3. The secret should not use variables,
    4. The secret should not be with spaces,
    5. The secret should be required to have some minimal length, like 8 characters.
  • When adding a protected variable and/or flagging a variable as protected, we will warn the user if the variable will not be masked based on not meeting these requirements

Out of Scope

  • This will not add any additional security to variables (which are already encrypted at rest, but we have this epic to improve the actual security of variables: &816)
  • There will be limits placed on what will and will not be masked. This will include accounting for enough entropy to make sense (e.g. don't mask a variable that is just set to a word.) and are not multi-line.

Design solution

Optimal solution

See #59318 (moved)

Minimal solution

  • Add masked flag (straining the UI)
  • Validation can be done on submit (doesn't require to be done in real time, though nice if possible)
    • Masked variables are not accepted unless they fulfill regexp requirements
  • Copy changes
What Mockup
Project variable settings image
error Warning mockup, see 💎 here for general specs: img

Example

https://gitlab.com/brendan-demo/ci-variables

Today the output is

$ echo "CI_COMMIT_SHORT_SHA is $CI_COMMIT_SHORT_SHA"
CI_COMMIT_SHORT_SHA is cf14dc21
$ echo "CI_JOB_TOKEN is $CI_JOB_TOKEN"
CI_JOB_TOKEN is xxxxxxxxxxxxxxxxxxxx
$ echo "A_REGULAR_VARIABLE is $A_REGULAR_VARIABLE"
A_REGULAR_VARIABLE is foo
$ echo "A_PROTECTED_VARIABLE is $A_PROTECTED_VARIABLE"
A_PROTECTED_VARIABLE is bar

After this issue is complete the output should be

$ echo "CI_COMMIT_SHORT_SHA is $CI_COMMIT_SHORT_SHA"
CI_COMMIT_SHORT_SHA is cf14dc21
$ echo "CI_JOB_TOKEN is $CI_JOB_TOKEN"
CI_JOB_TOKEN is xxxxxxxxxxxxxxxxxxxx
$ echo "A_REGULAR_VARIABLE is $A_REGULAR_VARIABLE"
A_REGULAR_VARIABLE is foo
$ echo "A_PROTECTED_VARIABLE is $A_PROTECTED_VARIABLE"
A_PROTECTED_VARIABLE is xxxxxxxxxxxxxxxxxxxx

Previous description

### Problem to Solve

It would be cool to have a simple protection of secret variables (e.g. credentials like username, password) in the build log output, mainly to protect against unintentional leaking of secret values

Why?

  • In case some software is invoked in the build process shows the password (e.g. debug log or similar)
  • Example: testing of chef cookbooks, which access some password protected sources to fetch the software, which is invoked in the test procedure.
  • It would be a very easy protection for most cases where some secret might get visible in the log

Solution

  • Simple string replacement on secret variable value in build log
  • Additional checkbox in the Gitlab UI (see screenshow below)
  • Gitlab CI runner gets information if protection is required and does the replacement in the build log

Most variables can be exposed with echo $VARIABLE_NAME. However the CI_JOB_TOKEN is replaced with xxxxxxxxxxxxxxxxxxxx. We should do that same masking to any variable marked as "protected". See https://gitlab.com/gitlab-org/gitlab-ce/issues/13784#note_139304839 for an example project.

Important to note that there are lots of other ways to exfiltrate sensitive information. This would only really protect against unintentional output of sensitive values in the output. This needs to be clear when turning the feature on (similar to the warning in incognito mode in your browser that it isn't truly making you invisible.)

Edited Mar 21, 2019 by Miranda Fluharty
Assignee
Assign to
Time tracking