extractAccessKey method exposes secrets in debug mode

[heurtematte]

Setting script to debug mode exposes secrets in logs.

  script:
    - set -x
    - !reference [.injectDevelocityForMaven]

• https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-maven.yml#L253
• https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-gradle.yml#L570

Root cause:

• method extractAccessKey

 key="${allKeys#*$hostname=}"    # Remove everything before the host name and '='

Avoid string manipulation with secrets.

Logs:

++ extractAccessKey [MASKED] develocity-staging.eclipse.org
+++ local allKeys=[MASKED]
+++ local hostname=develocity-staging.eclipse.org
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+++ '[' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX == [MASKED] ']'
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is exposed.

[alextu]

I see, although it seems like a GitLab limitation with masking variables. I guess we could implement an additional safety net like https://stackoverflow.com/a/48019999 but it seems a bit tedious and error prone (easy to forget portions of code) 🤔. Do you see another solution?

[heurtematte]

This is at least a nice workaround at the moment.

For future use, I would suggest to prefix all token. In gitlab pattern like glpat- are automatically masked.

Gitlab seems to have this feature: CI_TOKEN_MASK_PREFIXES, according to this MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/100882, but I have never been able to make it work.