Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #28074
Closed
Open
Issue created Apr 15, 2019 by Robert Marshall@rmarshallDeveloper

Root Password shows up in PlainText in migration log

I was testing the behavior of a patch to the Cloud Native GitLab chart and noticed that when the migrations job ran my configured root user/password showed up in the migrations log in plain text.

The message appears to come from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/db/fixtures/production/002_admin.rb#L26 or the same line in EE https://gitlab.com/gitlab-org/gitlab-ee/blob/master/db/fixtures/production/002_admin.rb#L26

I'm going to assume that the only user who could view these logs would be someone with disk level access, so hopefully the root user, so that somewhat limits the scope.

What happens if the logs are shipped to another machine, would that leak the credentials to users who shouldn't have application level root access?

Additionally, should a root password be echoed into a log in plaintext at all?

I will note that the root password was set via kubectl create secret generic gitlab-gitlab-initial-root-password --from-literal=password=LEAKING_CREDENTIAL

Assignee
Assign to
Time tracking