SPIKE: Allow special characters to be mask when used for raw variable types
Problem to solve
In gitlab-foss#13784 (closed), Gitlab delivered the capability to mask secret variables out from the logs to ensure secret AUTH data is not leaked to users and secrets/tokens are kept secret. aka "Masked Variables" feature.
https://docs.gitlab.com/ee/ci/variables/#via-the-ui, specifically: https://docs.gitlab.com/ee/ci/variables/#masked-variables
Since then, there have been a few (1 or 2?) iterations of missed requirements in terms of the limitations of the features for both "disallowed characters" and "anti-length restrictions".
Since GitLab users can now define raw variables through the UI & YAML configuration, the purpose of this issue is to assess if we can also remove the special char masking restriction when users define a raw variable.
Proposal
As there have been further limitations identified, the purpose of this issue is to assess these special character limitations, remove them if possible, and document those that cannot be fixed (and why).
At the end of this, the goal is:
- Allow special characters to masked if the variable is set to
raw
(expanded: false)
Testing
Some characters MAY be dangerous to mask if they are special in the shell or in the backend code. Care must be taken to ensure masking is always safe, and no unsupported input chars can crash or corrupt.
Implementation Table
Group | Issues | Issue Link | Notes |
---|---|---|---|
backend | Backend: Make it possible to set variables as non-expanded in CI/CD Settings > Variables | #361934 (closed) | MVC |
backend | Backend: Backend: Make it possible to set a raw variable in our syntax | #353991 (closed) | MVC |
frontend | Frontend: Make it possible to set variables as non-expanded in CI/CD Settings > Variables | #217309 (closed) | MVC |
backend | Backend: Allow special characters to be used for raw variable types |
|
MVC |
backend | Backend: Make it possible to set variables as non-expanded in Project->pipelines/new | #362539 | TBD at a later date |
backend | Backend: Make it possible to set variables as non-expanded in Manual Job->Play | #362548 | TBD at a later date |
backend | Backend: Make it possible to set variables as non-expanded in Project->pipeline_schedules/new | #362549 | TBD at a later date |