Skip to content

New masking of protected variables feature is too limiting on allowed characters in the mask

Problem to solve

In #13784 (closed), Gitlab delivered the capability to mask secret variables out from the logs to ensure secret AUTH data is not leaked to users and secrets/tokens are kept secret.

https://docs.gitlab.com/ee/ci/variables/#via-the-ui, specifically: https://docs.gitlab.com/ee/ci/variables/#masked-variables

However, the requirements seem to have neglected even the built-in default tokens/keys that Gitlab itself generates, as well, several users have encountered other common characters that are not allowed to be masked.

Intended users

DevSecOps teams & developers.

Further details

Considerations include:

  1. Gitlab's personal access tokens: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
  2. Gitlab's deploy tokens: https://docs.gitlab.com/ee/user/project/deploy_tokens/
  3. AWS access key: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
  4. ... (more) ...

Proposal

In general, we should consider what is the MAXIMUM charset that can be supported for this feature. As suggested here: https://gitlab.com/gitlab-org/gitlab-ce/issues/13784#note_202408541, there are many characters currently restricted seemingly unnecessarily. (or for reasons not understood by the community)

Permissions and Security

Maintainer.

Documentation

docs: https://docs.gitlab.com/ee/ci/variables/#masked-variables , delivered by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/27236

frontend: https://gitlab/project/settings/ci_cd , deliveredy by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/27156

Testing

We would need to ensure these special characters actually work in a myriad of runner types (likely affected by type of shell).

What does success look like, and how can we measure that?

  1. Users can use ALL types of keys/tokens for all gitlab builtin ones.
  2. Users can use COMMON types of keys/tokens for typical cloud infrastructure technologies (aws/azure/gcp)
  3. Documentation fully explains what characters are NOT allowed, and WHY.

Links / references