Skip to content

Masked Variable still printed in log output on gitlab.com

Summary

On gitlab.com setting a valid Masked Variable and echo it, still shows up in logs. This is using the gitlab-runner 11.10.0-rc2 (10efa505) on docker-auto-scale fa6cab46

Steps to reproduce

  • Create a Masked variable, e.g. TEST = ABCDEFGH or TEST2 = 12345678 or longer strings and keep the default Masked toggle ON and one time Protected ON and one time OFF

Screenshot of a Protected + Masked Variable TEST and a not-Protected + Masked Variable TEST2 :

Screenshot_2019-04-24_at_22.49.15

  • commit a .gitlab-ci.yml to master with the command echo "$TEST" and echo "$TEST2"
  • look at the log output and see the values like ABCDEFGH and 12345678 appear in the output
  • also tested (earlier on) with longer, random letter-digit strings, same effect.

Example Project

simply printing $TEST and $TEST2:

https://gitlab.com/petervandenabeele/kube-kompare/-/jobs/201913928
https://gitlab.com/petervandenabeele/kube-kompare/-/jobs/201912085

This has also export, and we do see $CI_BUILD_TOKEN being masked correctly, but $TEST not masked.

https://gitlab.com/petervandenabeele/kube-kompare/-/jobs/201889446

I also tested with default ruby:2.5 image and with alpine:latest image and the bug was the same.

What is the current bug behavior?

The value of the Protected ENV Variable is printed in the output.

$ echo "$TEST and see if the result is masked"
ABCDEFGH and see if the result is masked

What is the expected correct behavior?

$ echo "$TEST and see if the result is masked"
xxxxxxxx and see if the result is masked

Relevant logs and/or screenshots

Running with gitlab-runner 11.10.0-rc2 (10efa505)
  on docker-auto-scale fa6cab46
Using Docker executor with image alpine:latest ...
Pulling docker image alpine:latest ...
Using docker image sha256:cdf98d1859c1beb33ec70507249d34bacf888d59c24df3204057f9a6c758dddb for alpine:latest ...
Running on runner-fa6cab46-project-12016615-concurrent-0 via runner-fa6cab46-srm-1556137943-496841d9...
Initialized empty Git repository in /builds/petervandenabeele/kube-kompare/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/petervandenabeele/kube-kompare
 * [new branch]      master     -> origin/master
Checking out 2b11bc53 as master...

Skipping Git submodules setup
$ echo "hello world, in the default 'test' stage"
hello world, in the default 'test' stage
$ echo "$TEST and see if the result is masked"
ABCDEFGH and see if the result is masked
$ echo "$TEST2 and see if the result is masked"
12345678 and see if the result is masked
Job succeeded

Output of checks

This bug happens on GitLab.com

Possible fixes

Not found.!

Edited by Peter Vandenabeele