Web IDE does not display full error message
Summary
As of April 10th, 2024, when pre-receive secret detection is enabled, and using the Web IDE, the full error message, containing details about the detected secrets, is not shown. Instead a generic error message is shown.
This is happening regardless of the Instance type (Dedicated, SaaS, Self Managed).
Update: As of April 23rd, the full message is showing again.
Update: As of April 26th, the message is gone completely.
Update: As of April 29th, the full message is showing again.
Update: As of May 1st, the message is gone completely.
Update: As of May 8th, this MR was merged as an attempt to get it to crash less. It will still crash when there are a lot of secrets detected.
Steps to reproduce
Production
Pre-receive secret detection has been enabled for the secrets analyzer and you can use the WebIDE to try to push a secret like pat='glpat-12345678901234567890'
.
Locally
Run this in the rails console:
#enable the beta, instance wide flag
::Feature.enable(:pre_receive_secret_detection_beta_release)
#enable the instance wide setting
rec = Gitlab::CurrentSettings.current_application_settings
rec.pre_receive_secret_detection_enabled = true
rec.save!
rec.reload # = Gitlab::CurrentSettings.current_application_settings; nil
rec.pre_receive_secret_detection_enabled
#this is flightjs/Flight on my GDK, YMMV
project = Project.find 7
#enable the feature for the project
::Feature.enable(:pre_receive_secret_detection_push_check, project)
#enable the setting for the project
project_setting = ProjectSecuritySetting.where(project_id: project.id).first
project_setting.pre_receive_secret_detection_enabled = true
project_setting.save!
project_setting.reload
project_setting.pre_receive_secret_detection_enabled
After Secrets push check uses project level settings (!150760 - merged) • rossfuhrman • 17.0 has merged, you will need to [Simulate a SaaS instance(https://docs.gitlab.com/ee/development/ee_features.html#simulate-a-saas-instance).
Now, use the WebIDE to try to push a secret like . With the merge of Prevent WebIDE from crashing on message (!152289 - merged) • rossfuhrman • 17.0, you will need to add at least 8 instances of a secret to run into the problem.pat='glpat-12345678901234567890'
What is the current bug behavior?
A generic error message is shown, which isn't useful in identifying the secret committed.
More details about the secret were previously shown and I don't know when this started happening.
As of May 9th, the code crashes when there are 8 or more secrets detected, and the browser shows no response whatsoever. The error does show in the response, which is visible in the dev console of the browser.
What is the expected correct behavior?
The details about the committed secret should show. The expected details are showing in the Response tab of my Firefox console for the http://gdk.test:3000/api/v4/projects/flightjs%2FFlight/repository/commits
XHR:
13:update reference: running pre-receive hooks: GitLab: Secret detection scan completed with one or more findings.Secrets leaked in commit: 0f9fa2e62a970ce3bd547f9701ebeb0d3943ef9d - path: index.js - line:12 | GitLab Personal Access Token - line:13 | GitLab Personal Access TokenIf you wish to skip secret detection, please include [skip secret detection] in one of the commit messages for your changes.Please remove the identified secrets in your commits and try again.For help with this, please refer to our documentation: http://gdk.test:3000/help/user/application_security/secret_detection/pre_receive.html#resolve-a-blocked-push.