Merge branch 'zj-patch-0-111' into '0-111-stable'

Sanitize sentry events' logentry messages

See merge request gitlab/gitaly!8

3 files changed, 14 insertions, 0 deletions

diff --git a/changelogs/unreleased/sanitizing-v2.yml b/changelogs/unreleased/sanitizing-v2.yml
new file mode 100644
index 000000000..8d43717c6
--- /dev/null
+++ b/changelogs/unreleased/sanitizing-v2.yml
@@ -0,0 +1,5 @@
+---
+title: "Sanitize sentry events' logentry messages"
+merge_request:
+author:
+type: security
diff --git a/ruby/lib/gitaly_server/sentry.rb b/ruby/lib/gitaly_server/sentry.rb
index 4367f7f0f..bd1d8e6b0 100644
--- a/ruby/lib/gitaly_server/sentry.rb
+++ b/ruby/lib/gitaly_server/sentry.rb
@@ -15,12 +15,20 @@ class GitalyServer::Sentry::URLSanitizer < Raven::Processor
     sanitize_message(data)
     sanitize_fingerprint(data)
     sanitize_exceptions(data)
+    sanitize_logentry(data)
 
     data
   end
 
   private
 
+  def sanitize_logentry(data)
+    logentry = data[:logentry]
+    return unless logentry.is_a?(Hash)
+
+    logentry[:message] = sanitize_url(logentry[:message])
+  end
+
   def sanitize_fingerprint(data)
     fingerprint = data[:fingerprint]
     return unless fingerprint.is_a?(Array)
diff --git a/ruby/spec/lib/gitaly_server/sentry/url_sanitizer_spec.rb b/ruby/spec/lib/gitaly_server/sentry/url_sanitizer_spec.rb
index 8d3d12427..2363bba9d 100644
--- a/ruby/spec/lib/gitaly_server/sentry/url_sanitizer_spec.rb
+++ b/ruby/spec/lib/gitaly_server/sentry/url_sanitizer_spec.rb
@@ -30,6 +30,7 @@ describe GitalyServer::Sentry::URLSanitizer do
     data = JSON.parse(last_sentry_event[1])
 
     expect(data['message']).to eq("StandardError: #{ex_sanitized_message}")
+    expect(data['logentry']['message']).to eq("StandardError: #{ex_sanitized_message}")
     expect(data['fingerprint'].last).to eq(ex_sanitized_message)
     expect(data['exception']['values'][0]['value']).to eq(ex_sanitized_message)
   end