Order masked values by length to prevent longer values being partially revealed (!2892) · Merge requests · GitLab.org / gitlab-runner

Arran Walker requested to merge 27861-duplicate-masked-variables into master May 13, 2021

What does this MR do?

Order masked values by length: longest -> shortest

Why was this MR needed?

This prevents short values being replaced first that potentially reveal parts of longer secrets.

For example, masking: mask and prefix_mask in the string prefix_mask would result in prefix_[MASKED]. By ordering by length, we ensure we mask the prefix_mask first.

What's the best way to test this MR?

The unit test TestVariablesMasking has been updated with a few variants of this problem that will all fail if values are not sorted correctly.

What are the relevant issue numbers?

Closes #27861 (closed)

Order masked values by length to prevent longer values being partially revealed

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports