Secret Variables are mangled when arriving in runner

Summary

Environment Variables that are set in the "Secret Variables" section of "Settings -> CI/CI Pipelines" for a project arrive mangled in some situations. I believe this may be happening due to unwanted variable expansion.

Steps to reproduce

  • In a project with CI enabled, navigate to "Settings -> CI/CI Pipelines" and scroll down to the "Secret Variables" section.
  • In the "Add a variable" form, add a new variable with the Key GOOD, and the Value stays1.gone1.stays2..
  • In the "Add a variable" form, add a new variable with the Key BAD, and the Value stays1$gone1.stays2..
  • Add the following job to the project's .gitlab-ci.yml file, and initiate a CI run:
env_var_test:
  script:
  - echo $GOOD
  - echo $BAD

What is the current bug behavior?

The following text is output during the CI run:

$ echo $GOOD
stays1.gone1.stays2.
$ echo $BAD
stays1.stays2.

What is the expected correct behavior?

The following text should be output during the CI run:

$ echo $GOOD
stays1.gone1.stays2.
$ echo $BAD
stays1$gone1.stays2.

Output of checks

Results of GitLab environment info

sudo gitlab-rake gitlab:env:info 

System information
System:         Ubuntu 14.04
Current User:   git
Using RVM:      no
Ruby Version:   2.3.3p222
Gem Version:    2.6.6
Bundler Version:1.13.7
Rake Version:   10.5.0
Redis Version:  3.2.5
Git Version:    2.10.2
Sidekiq Version:4.2.7

GitLab information
Version:        9.0.5
Revision:       a6b9899
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            [REDACTED]
HTTP Clone URL: [REDACTED]
SSH Clone URL:  [REDACTED]
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        5.0.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git:            /opt/gitlab/embedded/bin/git

GitLab version 9.0.5, omnibus-gitlab package - Working with admin to get the output of the following command:

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:check SANITIZE=true)

Problem

A dollar sign $ character is treated as a special character and the word is evaluated as a variable. For example,

gone1='thiswassetinanothervar'
BAD='stays1$gone1.stays2.'
echo $BAD
stays1thiswassetinanothervar.stays2.

When the script is executed the variable has already been expanded.

Edited by Jaime Martinez