Skip to content

disable CI variable complex expressions by default

drew stachon requested to merge ci-variables-complex-expression-default-disabled into master

What does this MR do?

This MR disables the new behavior for complex ci variable expressions by default. There was a regression caused by merging the feature, because in doing so we use Gitlab::UntrustedRegexp in a way that we hadn't before. This is a more complete version of @stanhu's MR !29504 (closed) to allow users to opt-in to the behavior.

I've also written a fix for the reported bug at !29575 (closed). I believe that MR, in theory, should be shipped regardless as it provided for a more uniform handling of pattern match data and fixes the reported errors. However that is an additional change and not a pure "put it back" regression fix. If we can validate that change and get it merged, we don't necessarily need to turn this off.

However given the recent discussion around feature flags and their philosophy in our newer more-continuous deployment strategy, I think we should default to disabled here, even if that means we start by deploying this to gitlab.com with everyone enabled. We'll still have plenty of control there and can manage it carefully ourselves. I'm less familiar with the process for rolling out flagged features to self-hosted customers, but it seems like they can opt-in when they upgrade to 12.0 and have more context if and when something breaks.

Does this MR meet the acceptance criteria?

Conformity

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Merge request reports