Skip to content

Gitlab::Ci::MaskSecret `mask!` expects string for `gsub!`, gets array instead

Summary

In certain circumstances during pipeline creation, when masked variables are being processed, the Gitlab::Ci::MaskSecret mask! method expects to call gsub! on a string, when it can sometimes be an array.

Because this is not handled, a 500 error is returned. In this case, the user sees their pipeline does not start. The job says stays stuck in Created state:

This job has not been triggered yet
This job depends on upstream jobs that need to succeed in order for this job to be triggered

I was able to reproduce the behaviour on SaaS (ie the job does not start, stays in Created state) by reproducing the customer's project hierarchy and general CI/CD yaml structure. When I added a masked variable to the top-level group that was not protected, the behaviour was reproduced. However, I was not able to see the same error the customer received:

json.exception.message: undefined method `gsub!' for #<Array:0x00007fa0282b4ec0>

I was not able to reproduce this behaviour without emulating the basic structure of the customer's yaml files, with multiple includes at several levels.

Steps to reproduce

Reproduce:

  1. Define a CI config with a project/file include. Define the project as an array:
include:
  - project: ["furkanayhan/many-includes"]
    file: a.yml
    ref: master

test:
  script: echo hello
  1. Have a masked variable with the included project name

image

Implementation Table

Group Issue Link
backend 👈 You are here
backend Backend: Measure users that are using an array ... (#365975)

Example Project

Approximation of the customer's yaml structure, where behaviour was reproduced. Please see as documented in the GitLab ticket (internal).

What is the current bug behavior?

Pipeline job for first stage does not start, remains at Created stage.

image

What is the expected correct behavior?

Pipeline job would start.

Relevant logs and/or screenshots

https://sentry.gitlab.net/gitlab/gitlabcom/issues/3266251/?query=is%3Aunresolved%20correlation_id%3A01G1J8H2DTSAD7Y0J1908S7CXC

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

We should not allow defining project as an array

Edited by Mark Nuzzo