extractAccessKey method exposes secrets in debug mode

Setting script to debug mode exposes secrets in logs.

```yaml
  script:
    - set -x
    - !reference [.injectDevelocityForMaven]
```

* https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-maven.yml#L253
* https://github.com/gradle/develocity-gitlab-templates/blob/main/develocity-gradle.yml#L570

Root cause: 
* method extractAccessKey

```shell
 key="${allKeys#*$hostname=}"    # Remove everything before the host name and '='
```

Avoid string manipulation with secrets.

Logs: 
```shell
++ extractAccessKey [MASKED] develocity-staging.eclipse.org
+++ local allKeys=[MASKED]
+++ local hostname=develocity-staging.eclipse.org
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+++ '[' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX == [MASKED] ']'
+++ key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
```

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is exposed.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

extractAccessKey method exposes secrets in debug mode #60

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

extractAccessKey method exposes secrets in debug mode #60

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions