Open
Description
Setting script to debug mode exposes secrets in logs.
script:
- set -x
- !reference [.injectDevelocityForMaven]
- https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-maven.yml#L253
- https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-gradle.yml#L570
Root cause:
- method extractAccessKey
key="${allKeys#*$hostname=}" # Remove everything before the host name and '='
Avoid string manipulation with secrets.
Logs:
++ extractAccessKey [MASKED] develocity-staging.eclipse.org
+++ local allKeys=[MASKED]
+++ local hostname=develocity-staging.eclipse.org
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+++ '[' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX == [MASKED] ']'
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is exposed.
Metadata
Metadata
Assignees
Labels
No labels