Merge branch 'filter-note-parameters' into 'master'

Include additional fields in the Rails filter_parameters configuration See merge request gitlab-org/gitlab-ce!25238
2019-02-14 18:33:36 +00:00 · 2019-02-14 18:33:36 +00:00 · 12058fbeb8
parent 62c6b062e2 e2cc500e4e
commit 12058fbeb8
3 changed files with 40 additions and 1 deletions
--- a/changelogs/unreleased/filter-note-parameters.yml
+++ b/changelogs/unreleased/filter-note-parameters.yml
@ -0,0 +1,5 @@
+---
+title: Include note in the Rails filter_parameters configuration
+merge_request: 25238
+author:
+type: other
--- a/config/application.rb
+++ b/config/application.rb
@ -97,7 +97,7 @@ module Gitlab
    #
    # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
    #       introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
-    config.filter_parameters += [/token$/, /password/, /secret/, /key$/]
+    config.filter_parameters += [/token$/, /password/, /secret/, /key$/, /^note$/, /^text$/]
    config.filter_parameters += %i(
      certificate
      encrypted_key
--- a/spec/config/application_spec.rb
+++ b/spec/config/application_spec.rb
@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Application do # rubocop:disable RSpec/FilePath
+  using RSpec::Parameterized::TableSyntax
+
+  FILTERED_PARAM = ActionDispatch::Http::ParameterFilter::FILTERED
+
+  context 'when parameters are logged' do
+    describe 'rails does not leak confidential parameters' do
+      def request_for_url(input_url)
+        env = Rack::MockRequest.env_for(input_url)
+        env['action_dispatch.parameter_filter'] = described_class.config.filter_parameters
+
+        ActionDispatch::Request.new(env)
+      end
+
+      where(:input_url, :output_query) do
+        '/'                                      | {}
+        '/?safe=1'                               | { 'safe' => '1' }
+        '/?private_token=secret'                 | { 'private_token' => FILTERED_PARAM }
+        '/?mixed=1&private_token=secret'         | { 'mixed' => '1', 'private_token' => FILTERED_PARAM }
+        '/?note=secret&noteable=1&prefix_note=2' | { 'note' => FILTERED_PARAM, 'noteable' => '1', 'prefix_note' => '2' }
+        '/?note[note]=secret&target_type=1'      | { 'note' => FILTERED_PARAM, 'target_type' => '1' }
+        '/?safe[note]=secret&target_type=1'      | { 'safe' => { 'note' => FILTERED_PARAM }, 'target_type' => '1' }
+      end
+
+      with_them do
+        it { expect(request_for_url(input_url).filtered_parameters).to eq(output_query) }
+      end
+    end
+  end
+end