Newly created Masked and Hidden CI variable can be viewed after creation
Summary
It is possible to view a newly created CI variable that is set to Hidden and Masked. This is only possible on the CI Variables screen after it has just been created using the following steps.
Steps to reproduce
- create a new project
- add a new CI variable named
TEST_VISIBLEwith the following settings:- Type: Variable (default)
- Environments: All (default)
- Visibility: Visible
- Flags: both unchecked
- No description
- any string value
- Save the variable
- add a new CI variable named
TEST_SECRETwith the following settings:- Type: Variable (default)
- Environments: All (default)
- Visibility: Masked and hidden
- Flags: both unchecked
- No description
- set a value of
mysecretvalue
- save the value
- close the Edit variable pop out but do not navigate away from the screen or refresh the window
- click the
Editpencil next toTEST_SECRET=> the Edit attribute pop-out shows correctly (variable value is hidden) - without closing the po-out click the
Editpencil next toTEST_VISIBLE
The Edit attribute pop-out refreshes but instead of showing the TEST_VISIBLE value it shows the TEST_SECRET attribute and value
Example Project
This can be reproduced in any project but will only occur at the time of when the variable is being created
What is the current bug behavior?
The hidden variable value can be viewed again. Also the Edit shows the wrong attribute.
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Activity
added typebug label
This was reported by the following customer
- Subscription: GitLab Ultimate
- Product: gitlab.com
- Link to request: ZD Ticket (internal)
- PM to mention: @dhershkovitch
added grouppipeline authoring label
added devopsverify sectionci labels
added customer label
All customer typebug issues need to have a proper severity label set. Please add a severity label, remove the automation:customer-bug-missing-labels label, and then reply to this comment briefly explaining your reasoning for providing this severity.
If you are not the DRI for this area and would like help determining the best severity, please @ the appropriate person for assistance.
This message was generated automatically. You're welcome to improve it.
added automation:customer-bug-missing-labels label
mentioned in issue gitlab-org/quality/triage-reports#22302 (closed)
mentioned in issue gitlab-org/quality/triage-reports#22380 (closed)
added UX label
added reproduced on GitLab.com label
added severity2 label
cc @nagyv-gitlab @nmezzopera This needs your attention. I was able to reproduce this in my test project..
@sunjungp @nagyv-gitlab do you think this is a UX bug or a security issue? I would lean on the first for the reason that the only user who can see the hidden value is the user who created it, it sounds as the value stays stored somewhere in the local storage / cache of the page being loaded.
If is the first case I would probably make this not confidential, @ameyadarshan any thoughts here?
@nmezzopera I would say it's a UX bug with potential security implication. Maybe that was the reason why it was made as a confidential issue.
@nmezzopera I agree with @sunjungp above. This is a UX issue and does not need to be confidential or go through the security release process.
removed automation:customer-bug-missing-labels label
added priority2 label
mentioned in issue gitlab-org/quality/triage-reports#22486 (closed)
mentioned in issue gitlab-org/quality/triage-reports#22681
