Commit 6db05b3e authored by Tomasz Maczukin's avatar Tomasz Maczukin Committed by Kamil Trzciński

Add support for dot (.) in variables masking

The CI/CD Variables masking mechanism supports a limited number of
characters that can be masked. One of the currently unsuported ones
is the dot (.) character.

This makes it unusable for example for JWT tokens in
https://gitlab.com/gitlab-org/gitlab/issues/37469.

The current limitation is mostly required to prevent usage
of characters, that can be used in shell variables expansion, which
would make the final masking pattern unpredictable. With the Raw
Variables feature (that is under development) the restrictions could be
possibly reduced a little. However for now, we're needing them.

However, it seems that the dot (.) usage should not generate the problem
and it would improve the security of JSON Web Tokens passed to the CI/CD
job with the Variables.
parent 6a933340
...@@ -9,9 +9,9 @@ module Ci ...@@ -9,9 +9,9 @@ module Ci
# * No variables # * No variables
# * No spaces # * No spaces
# * Minimal length of 8 characters # * Minimal length of 8 characters
# * Characters must be from the Base64 alphabet (RFC4648) with the addition of @ and : # * Characters must be from the Base64 alphabet (RFC4648) with the addition of '@', ':' and '.'
# * Absolutely no fun is allowed # * Absolutely no fun is allowed
REGEX = /\A[a-zA-Z0-9_+=\/@:-]{8,}\z/.freeze REGEX = /\A[a-zA-Z0-9_+=\/@:.-]{8,}\z/.freeze
included do included do
validates :masked, inclusion: { in: [true, false] } validates :masked, inclusion: { in: [true, false] }
......
---
title: Add support for dot (.) in variables masking
merge_request: 29022
author:
type: changed
...@@ -224,7 +224,7 @@ describe('AjaxFormVariableList', () => { ...@@ -224,7 +224,7 @@ describe('AjaxFormVariableList', () => {
describe('maskableRegex', () => { describe('maskableRegex', () => {
it('takes in the regex provided by the data attribute', () => { it('takes in the regex provided by the data attribute', () => {
expect(container.dataset.maskableRegex).toBe('^[a-zA-Z0-9_+=/@:-]{8,}$'); expect(container.dataset.maskableRegex).toBe('^[a-zA-Z0-9_+=/@:.-]{8,}$');
expect(ajaxVariableList.maskableRegex).toBe(container.dataset.maskableRegex); expect(ajaxVariableList.maskableRegex).toBe(container.dataset.maskableRegex);
}); });
}); });
......
...@@ -162,7 +162,7 @@ describe('VariableList', () => { ...@@ -162,7 +162,7 @@ describe('VariableList', () => {
}); });
it('has a regex provided via a data attribute', () => { it('has a regex provided via a data attribute', () => {
expect($wrapper.attr('data-maskable-regex')).toBe('^[a-zA-Z0-9_+=/@:-]{8,}$'); expect($wrapper.attr('data-maskable-regex')).toBe('^[a-zA-Z0-9_+=/@:.-]{8,}$');
}); });
it('allows values that are 8 characters long', done => { it('allows values that are 8 characters long', done => {
......
...@@ -61,8 +61,12 @@ describe Ci::Maskable do ...@@ -61,8 +61,12 @@ describe Ci::Maskable do
expect(subject.match?(string)).to eq(false) expect(subject.match?(string)).to eq(false)
end end
it 'does not match strings using unsupported characters' do
expect(subject.match?('HelloWorld%#^')).to eq(false)
end
it 'matches valid strings' do it 'matches valid strings' do
expect(subject.match?('helloworld')).to eq(true) expect(subject.match?('Hello+World_123/@:-.')).to eq(true)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment