Gitlab - Links to code are broken and leak Gitlab CI Job tokens #1341
Comments
|
Hi @marcandre-larochelle-bell, Can you please provide Screenshot of issue with broken link. As I am not able to see broken links in GitLab Issues. Thanks |
|
@itsKedar not really as they contain job tokens, but just press edit on the description, you'll see the link contains leaked Gitlab CI job tokens |
|
Hi @marcandre-larochelle-bell , Is it ok, if link looks https://gitlab-ci-token:[MASKED_TOKEN]@gitlab.com? |
|
@itsKedar not really since when you click on it, it tries to authenticate you with the token and breaks all of the Gitlab UI since the token is only valid during the job, not after |
|
Any recommended fix that can help this issue? |
|
@itsKedar I would just add the link without any authentication information in it, you are already authenticated when you click on those within Gitlab, no need for the auth to be there |
|
Thanks for fast replies will fix this in upcoming releases. |
|
Fixed in 1.7.02 |
Description
Embedded links to code include authentication via the Gitlab CI Job tokens which leads to broken sessions as Gitlab CI Job tokens expire after a job finishes running, see: https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token-security
Expected Behavior
No Gitlab CI Job Token in the embedded links
Actual Behavior
Links contain Gitlab CI Job Token as:
https://gitlab-ci-token:<REDACTED>@gitlab.ca<REDACTED>Reproduction
Environment Details
Docker image: CxFlow 1.7.0-17
The text was updated successfully, but these errors were encountered: