Skip to content

Restrict access to jobs that use CI_DEBUG_TRACE=true

GitLab CI gives the possibility to enable debug job logging, which makes usage of shell's debugging features.

For all shells that GitLab CI supports, it means that the content of variables will be exposed. Therefore from the very beginning we've been warning about security implications and that enabling this feature when job output is public is dangerous - in the docs we can see:

Warning: Enabling debug tracing can have severe security implications. The output will contain the content of all your variables and any other secrets! The output will be uploaded to the GitLab server and made visible in job logs!

(...)

Before enabling this, you should ensure jobs are visible to team members only. You should also erase all generated job logs before making them visible again.

Some time ago we've made it possible to fully disable this feature. But this option have two limitations:

  1. It must be set on the Runner side, so only Runner administrator is able to disable it.
  2. It affects all jobs handled by the configured Runner.

And sometimes it's very useful to be able to get this debug output, especially on the proper target environment. So in many cases runner administrators will probably leave it undefined.

The proposal here is to update GitLab and make the job page of every job that uses CI_DEBUG_TRACE=true configured on GitLab side (so in the group or project CI/CD Variables settings or through .gitlab-ci.yml file) accessible only for people who have developer or higher permissions in the project. We could even consider making it accessible for only the maintainers or higher (who already have access to the secrets defined in the variables). But this would make the CI_DEBUG_TRACE feature less usable for a regular developer who is probably the most interested in using it (to debug the changes implemented in the CI/CD configuration and scripting).

Having this hidden from the wide public, we could also show some big and noticeable warning at the top of the page, repeating the warning from the documentation (and specifying that because of that access to this job page is limited).

Anyway, with this change, in the case when the user haven't noticed the warning in the docs or haven't fully understand the implications, the security risk of revealing the secrets will be highly reduced.

Of course the same >=developer or >=maintainer access should be required also for the API access for such jobs.

Proposal

Update access controls so that only Developers and above can access the job page for jobs where CI_DEBUG_TRACE=true is configured on GitLab side (via group or project CI/CD Variables settings or the .gitlab-ci.yml file).

Availability & Testing

  • Unit test changes - required, please add tests for all new implemented logics
  • Integration test changes - required, please add test for different user access with correct expected response from UI and API.
Edited by Tiffany Rea