-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitlab - Links to code are broken and leak Gitlab CI Job tokens #1341
Comments
Hi @marcandre-larochelle-bell, Can you please provide Screenshot of issue with broken link. As I am not able to see broken links in GitLab Issues. Thanks |
@itsKedar not really as they contain job tokens, but just press edit on the description, you'll see the link contains leaked Gitlab CI job tokens |
Hi @marcandre-larochelle-bell , Is it ok, if link looks https://gitlab-ci-token:[MASKED_TOKEN]@gitlab.com? |
@itsKedar not really since when you click on it, it tries to authenticate you with the token and breaks all of the Gitlab UI since the token is only valid during the job, not after |
Any recommended fix that can help this issue? |
@itsKedar I would just add the link without any authentication information in it, you are already authenticated when you click on those within Gitlab, no need for the auth to be there |
Thanks for fast replies will fix this in upcoming releases. |
Fixed in 1.7.02 |
Description
Embedded links to code include authentication via the Gitlab CI Job tokens which leads to broken sessions as Gitlab CI Job tokens expire after a job finishes running, see: https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token-security
Expected Behavior
No Gitlab CI Job Token in the embedded links
Actual Behavior
Links contain Gitlab CI Job Token as:
https://gitlab-ci-token:<REDACTED>@gitlab.ca<REDACTED>
Reproduction
Environment Details
Docker image: CxFlow 1.7.0-17
The text was updated successfully, but these errors were encountered: