Log when masked variables are leaked by Runner
Problem to solve
When a user sets a variable as masked the runner usually redacts the content of that variable if it's printed in the job trace to [MASKED]
. This sometimes can break as we saw in https://gitlab.com/gitlab-com/runner-group/team-tasks/-/issues/52 / gitlab-runner#27559 (closed) and we are "failing open" where we don't mask the variable if it's printed somehow.
We need to add another mechanism on top of what we have to prevent the duration of leaking secrets.
Proposal(s)
- When persisting the full trace to the user we should check the contents of it, and make sure there isn't any variable values that are printed and marked as masked. If it is, we can either hide the job trace and show an error to the user or try to replace the string. We already do something similar for
CI_BUILD_TOKEN
maybe we can use the same mechanism. -
less secure but more performant - build job variables once when the job completes, replace plain-text leaked variables and we archive the trace as artifact.
- The risk here is that a variable can be revealed while the job is running but as soon as it's canceled or completes the leaked variable is fixed.
Edited by James Heimbuck