GitLab does not always limit access to job logs when `CI_DEBUG_TRACE` is enabled
Summary
Enabling CI_DEBUG_TRACE
in gitlab-ci-yaml
is supposed to restrict access to job logs to project members (since enabling this feature can result in secrets being written to the job's log). However, depending on the value used to enable CI_DEBUG_TRACE
, jobs' logs may be available to anyone. Specifically, if CI_DEBUG_TRACE
is enabled by using one of the values 1
, t
, T
, Gitlab will not limit access to job logs to project members, and this could result in secretes being revealed.
Details/RCA
The GitLab/rails side only does a case-insensitive comparison against true
on the value of CI_DEBUG_TRACE
to determine if the feature is enabled (https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/ci/build.rb#L1045), However, the runner side (https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/common/build.go#L1285) relies on https://pkg.go.dev/strconv#ParseBool, for which valid "true values are: case "1", "t", "T", "true", "TRUE", "True":
. So, if CI_DEBUG_TRACE
is enabled by using one of the values 1
, t
, T
, Gitlab will not limit access to job logs to project members, and this could result in secretes being revealed.
Steps to reproduce
- On some project, enable
CI_DEBUG_TRACE
ingitlab-ci.yaml
using one of the following values:1
,t
,T
. e.g.:
variables:
CI_DEBUG_TRACE: 1
- Trigger a CI job run (pushing the change in #1 (closed) will trigger a job run anyway...)
- Attempt to access the job's logs as an anonymous coward (i.e. without logging into Gitlab.com).
Expected result
Access to the job's logs are denied, and instead Gitlab returns a "The current user is not authorized to access the job log." banner.
Actual result
The entirety of the jobs logs will be displayed, including all juicy secrets. e.g. https://gitlab.com/avonbertoldi/test-project/-/jobs/3071060777
Example Project
- https://gitlab.com/avonbertoldi/test-project
- https://gitlab.com/avonbertoldi/test-project/-/jobs/3071060777
What is the current bug behavior?
The entirety of the jobs logs will be displayed, including all secrets. e.g. https://gitlab.com/avonbertoldi/test-project/-/jobs/3071060777
What is the expected correct behavior?
Access to the job's logs are denied, and instead Gitlab returns a "The current user is not authorized to access the job log." banner.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
variables:
CI_DEBUG_TRACE: 1
Possible fixes
As suggested by @tmaczukin
send the information about debug mode state in runner requests that update the job status or even job trace. And then we could base on the same result in Runner's codebase. Plus handle services debug output and maybe future debug methods in the same way. GitLab would not need to know what and how to interpret - would depend on the information from Runner