diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:32 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:32 +0300 |
commit | 170c11041f05345baf94c991c560a6b0e2ed4dee (patch) | |
tree | d70710255a1ecdf4f0fd7c49d53b2551ec9c564b /app | |
parent | 5d5c906bf6a05813d9e9ea4217d4d2ed0fc372e5 (diff) | |
parent | 4cb930236377c9970bc46d877b13fab78b03aa2d (diff) |
Merge branch 'security-2943-encrypt-plaintext-tokens-12-4' into '12-4-stable'
GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext
See merge request gitlab/gitlabhq!3542
Diffstat (limited to 'app')
-rw-r--r-- | app/models/application_setting.rb | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index a07933d4975..fb702b3898e 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -276,23 +276,24 @@ class ApplicationSetting < ApplicationRecord pass: :external_auth_client_key_pass, if: -> (setting) { setting.external_auth_client_cert.present? } - attr_encrypted :external_auth_client_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true - - attr_encrypted :external_auth_client_key_pass, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true + private_class_method def self.encryption_options_base_truncated_aes_256_gcm + { + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_truncated, + algorithm: 'aes-256-gcm', + encode: true + } + end - attr_encrypted :lets_encrypt_private_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true + attr_encrypted :external_auth_client_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :external_auth_client_key_pass, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :lets_encrypt_private_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm before_validation :ensure_uuid! |