root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'filter-note-parameters' into 'master' 

Include additional fields in the Rails filter_parameters configuration

See merge request gitlab-org/gitlab-ce!25238
This commit is contained in:
Stan Hu 2019-02-14 18:33:36 +00:00
parent 62c6b062e2 e2cc500e4e
commit 12058fbeb8
3 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
changelogs/unreleased/filter-note-parameters.yml Normal file
View File

@ -0,0 +1,5 @@
---
title: Include note in the Rails filter_parameters configuration
merge_request: 25238
author:
type: other

2
config/application.rb
View File

@ -97,7 +97,7 @@ module Gitlab
# #
# NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
# introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182 # introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
config.filter_parameters += [/token$/, /password/, /secret/, /key$/] config.filter_parameters += [/token$/, /password/, /secret/, /key$/, /^note$/, /^text$/]
config.filter_parameters += %i( config.filter_parameters += %i(
certificate certificate
encrypted_key encrypted_key

34
spec/config/application_spec.rb Normal file
View File

@ -0,0 +1,34 @@
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::Application do # rubocop:disable RSpec/FilePath
using RSpec::Parameterized::TableSyntax
FILTERED_PARAM = ActionDispatch::Http::ParameterFilter::FILTERED
context 'when parameters are logged' do
describe 'rails does not leak confidential parameters' do
def request_for_url(input_url)
env = Rack::MockRequest.env_for(input_url)
env['action_dispatch.parameter_filter'] = described_class.config.filter_parameters
ActionDispatch::Request.new(env)
end
where(:input_url, :output_query) do
'/' | {}
'/?safe=1' | { 'safe' => '1' }
'/?private_token=secret' | { 'private_token' => FILTERED_PARAM }
'/?mixed=1&private_token=secret' | { 'mixed' => '1', 'private_token' => FILTERED_PARAM }
'/?note=secret&noteable=1&prefix_note=2' | { 'note' => FILTERED_PARAM, 'noteable' => '1', 'prefix_note' => '2' }
'/?note[note]=secret&target_type=1' | { 'note' => FILTERED_PARAM, 'target_type' => '1' }
'/?safe[note]=secret&target_type=1' | { 'safe' => { 'note' => FILTERED_PARAM }, 'target_type' => '1' }
end
with_them do
it { expect(request_for_url(input_url).filtered_parameters).to eq(output_query) }
end
end
end
end