Skip to content
Snippets Groups Projects
New issue look: Off

allow specification of 'taboo' strings in build output

    • Closed (moved) Issue created by username-removed-340089 @DanielDent

    Description

    In #21911 (moved), user error is discussed as one of the ways build secrets can end up leaking.

    Currently, when a gitlab authentication token is displayed in build output, it will be automatically redacted.

    It would be nice to extend this concept to other arbitrary strings. This could be done by having regexes configurable in the runner, and/or specifying that the contents of certain environment variables are not allowed to be sent back in build output.

    If $SOME_VAR=asdkjf0129301923123, and SOME_VAR has been specified as 'taboo', then the runner would replace any occurance of 'asdkjf0129301923123' in the build logs with 'REDACTED' prior to sending the build log back to the mothership.

    This could also protect against cases where unexpected events (i.e. a crash/exception) end up causing build secrets to be displayed, possibly without a direct mistake by the user.

    This is related to #13784 (moved) but is instead relating to the case where build secrets are injected by having them present on a runner. Having the runner itself configured to redact reduces the scope of systems which are are likely to be exposed to the information and/or have the capability to cause the information to be exposed.

    Designs

      Child items ...

      2. Activity

      • username-removed-419655
        username-removed-419655 @markglenfletcher1 ·
        Developer

        Hi @DanielDent thanks for the feedback!

      • username-removed-419655 Added ~19173 feature proposal labels

        Added ~19173 feature proposal labels

      • Felipe Artur moved to gitlab#6906

        moved to gitlab#6906

      • Felipe Artur
        Felipe Artur @felipe_artur ·
        Maintainer

        Hey! :wave:

        GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current gitlab-ce repository will become a read-only mirror, without any proprietary code. All development is moved to the current gitlab-ee repository, which we will rename to just gitlab in the coming weeks. As part of this migration, issues will be moved to the current gitlab-ee project.

        If you have any questions about all of this, please ask them in our dedicated FAQ issue.

        https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

        You can also find more information here:

        Frequently Asked Questions

        For an up to date list of questions and answers, please take a look at https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

        What will we do with the repository names?

        https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.

        Why rename gitlab-ce to gitlab-foss?

        Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear

        I created a merge requests for CE, and this got closed. What do I need to do?

        You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.

        How does the licensing work in this new setup?

        Everything in the ee/ directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in the ee/ directory, the process of contributing changes is the same as when using the gitlab-ce repository.

        Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?

        No. Merge requests submitted to this project will be closed automatically.

        Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?

        Yes.

        How will this affect users of GitLab CE using Omnibus?

        No changes will be necessary, as the packages built remain the same.

        How will this affect users of GitLab CE that build from source?

        Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.

        Where can I see a timeline of the remaining steps?

        https://gitlab.com/gitlab-org/gitlab-ee/issues/13304

        Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?

        Yes, these changes will be synced to gitlab-foss automatically, several times per day.

      • Felipe Artur locked this issue

        locked this issue

      Please register or sign in to reply