Value is hidden in job logs if it equals the value of a masked variable

Summary

Apologies if this was reported before, I couldn't find anything similar with a quick search through GitLab issues.

I have a variable called SERVER whose value is set to be masked in job logs. Somewhere in my .gitlab-ci.yml file I mistakenly used the actual value instead of the variable and was surprised to see it appear as [MASKED] in the logs.

Is this the intended behaviour? I could not find anything that would support this hypothesis in the docs.

Steps to reproduce

  1. Define a masked, unprotected variable in Settings > CI/CD
  2. Write a CI/CD job that uses the value of the variable
  3. Inspect the job output

Example Project

This works granted you defined the SERVER variable to 'example.com' prior to launching the CI/CD pipeline.

Minimal .gitlab-ci.yml file:

stages:
  - setup

test:
  stage: setup
  tags: [internal runner, redacted]
  # This is just an Ubuntu image with python3.8 installed on it
  image: avazula/ubuntu-python3.8:latest
  script:
    - echo example.com >> test.txt

What is the current bug behavior?

The log displays the command echo [MASKED] >> test.txt

What is the expected correct behavior?

The log should display echo example.com >> test.txt

Relevant logs and/or screenshots

Running with gitlab-runner 12.5.0 (577f813d)
  on [internal-runner, redacted]
Using Docker executor with image avazula/ubuntu-python3.8:latest ...
Pulling docker image avazula/ubuntu-python3.8:latest ...
Using docker image sha256:c2dd91c0f082ed2575f591834347a90ac102894b6704b799b8ebae3ef0c152df for avazula/ubuntu-python3.8:latest ...
Running on [internal-runner, redacted]...
00:12
Fetching changes with git depth set to 50...
00:04
Reinitialized existing Git repository in /builds/mariecarteaux/fuzzing/.git/
From https://gitlab.com/mariecarteaux/fuzzing
 * [new ref]         c1874fca17c9d807736d84a9a9052feec6aadd2f -> refs/pipelines/246505069
   5702f39..c1874fc  master     -> origin/master
Checking out c1874fca as master...
Skipping Git submodules setup
$ echo [MASKED] >> test.yml
Job succeeded

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

I am using an internal GitLab Runner of docker type. Software version: 12.5.0 The host machine is an Ubuntu 18.04.5 (GNU/Linux 4.15.0-112-generic x86_64) one.

Expand for output related to GitLab environment info 
$ gitlab-runner version
Version:      12.5.0
Git revision: 577f813d
Git branch:   12-5-stable
GO version:   go1.10.8
Built:        2019-11-20T09:14:54+0000
OS/Arch:      linux/amd64

Results of GitLab application Check

N/A

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes