search

gradle / develocity-gitlab-templates

GitLab CI/CD templates to automatically connect Gradle/Maven builds to Develocity
Apache License 2.0
9 stars 8 forks source link

extractAccessKey method exposes secrets in debug mode #60

Open heurtematte opened 3 months ago

heurtematte commented 3 months ago

Setting script to debug mode exposes secrets in logs.

  script:
    - set -x
    - !reference [.injectDevelocityForMaven]

Root cause: 

 key="${allKeys#*$hostname=}"    # Remove everything before the host name and '='

Avoid string manipulation with secrets.

Logs: 

++ extractAccessKey [MASKED] develocity-staging.eclipse.org
+++ local allKeys=[MASKED]
+++ local hostname=develocity-staging.eclipse.org
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+++ '[' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX == [MASKED] ']'
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is exposed.

alextu commented 3 months ago

I see, although it seems like a GitLab limitation with masking variables. I guess we could implement an additional safety net like https://stackoverflow.com/a/48019999 but it seems a bit tedious and error prone (easy to forget portions of code) 🤔. Do you see another solution?

heurtematte commented 3 months ago

This is at least a nice workaround at the moment.

For future use, I would suggest to prefix all token. In gitlab pattern like glpat- are automatically masked.

Gitlab seems to have this feature: CI_TOKEN_MASK_PREFIXES, according to this MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/100882, but I have never been able to make it work.