[Security] Masked variables vulnerability
Hi team,
I don't know if this is a vulnerability or could qualify to be a new feature. Doing some security tests on my Gitlab v16.11.0 (Docker), I detected that it is possible to print a variable to a text file and then upload it as an artifact to download it and obtain the masked variable.
This is a security issue for our company, since we sometimes work with external developers and they could obtain masked information by configuring the .gitlab-ci.yml file as follows:
test:
stage: build
script:
- mkdir TEST
- echo "${MASKED_VARIABLE}" > TEST/variable.txt
artifacts:
paths:
- TEST/*.txt