Cannot use $ character in build variables
Summary
It's not possible to use the $ character inside a build variable.
Steps to reproduce
- Add a build variable which contains the
$character somewhere inside. - Add the
envcommand to your Gitlab-CI script and watch the output - in the build log you'll see that the variable is trunkated at the
$sign
Expected behavior
I would either expect a warning or error when trying to save such a build variable.
Or I would expect GitLab to properly escape the content of the build variable.
Actual behavior
The $ sign is obviously treated as a bash variable and is expanded to nothing.
Could this probably a security issue?
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)
~# gitlab-rake gitlab:env:info
Your home directory is not set properly:
* `/var/opt/gitlab` is not writable
Bundler will use `/tmp/bundler/home/root` as your home directory temporarily
System information
System: Ubuntu 16.04
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.14.3
Rake Version: 10.5.0
Sidekiq Version:4.2.7
GitLab information
Version: 8.16.3
Revision: d225908
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://host.tld
HTTP Clone URL: https://host.tld/some-group/some-project.git
SSH Clone URL: git@host.tld:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: github
GitLab Shell
Version: 4.1.1
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/gitDesigns
| Notification Icon | Popover message |
|---|---|
 |
 |
User flow:
- User inputs a variable value with
$sign - The system autodetects this and displays an icon to notify the user about additional settings being available.
- When the user clicks on this icon, a popover is displayed to allow variable substitution.
We need not show the icon when the variable values are hidden. The icon should only be displayed only when the user clicks on the "Reveal values" button or when the user is in the process of adding a new variable and value with a $ sign in it.