Improve sensitive URL parameter masking
What does this MR do?
Adds URL parameters masking.
Why was this MR needed?
This is something we already have implemented with regex rules, but it doesn't work everywhere (for example, on logrus fields) and is really quite slow.
This new solution is significantly faster and works for anything written to the trace output (therefore addressing #4625 (closed)).
What's the best way to test this MR?
One way of manually testing this is to create a runner config with invalid S3 credentials:
[runners]]
name = "nonsense"
url = "https://gitlab.com/"
token = "<token>"
executor = "shell"
[runners.custom_build_dir]
[runners.cache]
Type = "s3"
Path = "path/to/prefix"
Shared = false
[runners.cache.s3]
ServerAddress = "s3.amazonaws.com"
AccessKey = "AWS_S3_ACCESS_KEY"
SecretKey = "AWS_S3_SECRET_KEY"
BucketName = "runners-cache"
BucketLocation = "eu-west-1"
Insecure = false
[runners.feature_flags]
FF_USE_IMPROVED_URL_MASKING = false
and run a simple cache job:
upload:
script:
- echo "https://example.com?X-Amz-Credential=SENSITIVE_KEY"
- echo "hi" > file
cache:
paths:
- file
With FF_USE_IMPROVED_URL_MASKING = true
, the parameters will be masked. With FF_USE_IMPROVED_URL_MASKING = false
the parameters will be exposed.
What are the relevant issue numbers?
Closes #4625 (closed)