diff options
author | Andrew Newdigate <andrew@gitlab.com> | 2019-02-14 10:25:25 +0300 |
---|---|---|
committer | Andrew Newdigate <andrew@gitlab.com> | 2019-02-14 11:46:27 +0300 |
commit | e2cc500e4e6b27bd158a84cf7d38768fd28fa642 (patch) | |
tree | cc153cd1a83d6d4148c9c411d7583a045cef9782 | |
parent | e927833b941122f25252712bc68b37041b38ba2c (diff) |
Filter note parameters
This change adds `note` to the Rails `filter_parameters` configuration.
-rw-r--r-- | changelogs/unreleased/filter-note-parameters.yml | 5 | ||||
-rw-r--r-- | config/application.rb | 2 | ||||
-rw-r--r-- | spec/config/application_spec.rb | 34 |
3 files changed, 40 insertions, 1 deletions
diff --git a/changelogs/unreleased/filter-note-parameters.yml b/changelogs/unreleased/filter-note-parameters.yml new file mode 100644 index 00000000000..fca2a394820 --- /dev/null +++ b/changelogs/unreleased/filter-note-parameters.yml @@ -0,0 +1,5 @@ +--- +title: Include note in the Rails filter_parameters configuration +merge_request: 25238 +author: +type: other diff --git a/config/application.rb b/config/application.rb index 92a3d031c63..49e7f5836e4 100644 --- a/config/application.rb +++ b/config/application.rb @@ -97,7 +97,7 @@ module Gitlab # # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not # introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182 - config.filter_parameters += [/token$/, /password/, /secret/, /key$/] + config.filter_parameters += [/token$/, /password/, /secret/, /key$/, /^note$/, /^text$/] config.filter_parameters += %i( certificate encrypted_key diff --git a/spec/config/application_spec.rb b/spec/config/application_spec.rb new file mode 100644 index 00000000000..01ed81964c3 --- /dev/null +++ b/spec/config/application_spec.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Gitlab::Application do # rubocop:disable RSpec/FilePath + using RSpec::Parameterized::TableSyntax + + FILTERED_PARAM = ActionDispatch::Http::ParameterFilter::FILTERED + + context 'when parameters are logged' do + describe 'rails does not leak confidential parameters' do + def request_for_url(input_url) + env = Rack::MockRequest.env_for(input_url) + env['action_dispatch.parameter_filter'] = described_class.config.filter_parameters + + ActionDispatch::Request.new(env) + end + + where(:input_url, :output_query) do + '/' | {} + '/?safe=1' | { 'safe' => '1' } + '/?private_token=secret' | { 'private_token' => FILTERED_PARAM } + '/?mixed=1&private_token=secret' | { 'mixed' => '1', 'private_token' => FILTERED_PARAM } + '/?note=secret¬eable=1&prefix_note=2' | { 'note' => FILTERED_PARAM, 'noteable' => '1', 'prefix_note' => '2' } + '/?note[note]=secret&target_type=1' | { 'note' => FILTERED_PARAM, 'target_type' => '1' } + '/?safe[note]=secret&target_type=1' | { 'safe' => { 'note' => FILTERED_PARAM }, 'target_type' => '1' } + end + + with_them do + it { expect(request_for_url(input_url).filtered_parameters).to eq(output_query) } + end + end + end +end |