Gitlab - Links to code are broken and leak Gitlab CI Job tokens

[marcandre-larochelle-bell]

Description

Embedded links to code include authentication via the Gitlab CI Job tokens which leads to broken sessions as Gitlab CI Job tokens expire after a job finishes running, see: https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token-security

Expected Behavior

No Gitlab CI Job Token in the embedded links

Actual Behavior

Links contain Gitlab CI Job Token as:

https://gitlab-ci-token:<REDACTED>@gitlab.ca<REDACTED>

Reproduction

• Generated a Gitlab issue on Gitlab
• Edit the Gitlab issue (or click on the link to experience the broken session)

Environment Details

Docker image: CxFlow 1.7.0-17

[itsKedar]

Hi @marcandre-larochelle-bell,

Can you please provide Screenshot of issue with broken link. As I am not able to see broken links in GitLab Issues.

Thanks

[marcandre-larochelle-bell]

@itsKedar not really as they contain job tokens, but just press edit on the description, you'll see the link contains leaked Gitlab CI job tokens

[itsKedar]

Hi @marcandre-larochelle-bell ,

Is it ok, if link looks https://gitlab-ci-token:[MASKED_TOKEN]@gitlab.com?

[marcandre-larochelle-bell]

@itsKedar not really since when you click on it, it tries to authenticate you with the token and breaks all of the Gitlab UI since the token is only valid during the job, not after

[itsKedar]

@marcandre-larochelle-bell,

Any recommended fix that can help this issue?

[marcandre-larochelle-bell]

@itsKedar I would just add the link without any authentication information in it, you are already authenticated when you click on those within Gitlab, no need for the auth to be there

[itsKedar]

@marcandre-larochelle-bell

Thanks for fast replies will fix this in upcoming releases.