Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 14:42:18 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 14:42:44 +0300
commit: 15c040a6bd71894260b66a90685070c0babfee76 (patch)
tree: 27021108f64428697744973cddaede55930f4ef7 /spec/initializers
parent: 6e4e4023b46c786a99e1cfe8832fa5eff2728e0d (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/initializers/lograge_spec.rb b/spec/initializers/lograge_spec.rb
index abb1673bb88..421f6373eff 100644
--- a/spec/initializers/lograge_spec.rb
+++ b/spec/initializers/lograge_spec.rb
@@ -173,6 +173,27 @@ RSpec.describe 'lograge', type: :request do
       end
     end
 
+    describe 'with access token in url' do
+      before do
+        event.payload[:location] = 'http://example.com/auth.html#access_token=secret_token&token_type=Bearer'
+      end
+
+      it 'strips location from sensitive information' do
+        subscriber.redirect_to(event)
+        subscriber.process_action(event)
+
+        expect(log_data['location']).not_to include('secret_token')
+        expect(log_data['location']).to include('filtered')
+      end
+
+      it 'leaves non-sensitive information from location' do
+        subscriber.redirect_to(event)
+        subscriber.process_action(event)
+
+        expect(log_data['location']).to include('&token_type=Bearer')
+      end
+    end
+
     context 'with db payload' do
       context 'when RequestStore is enabled', :request_store do
         it 'includes db counters' do
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 14:42:18 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 14:42:44 +0300
commit	15c040a6bd71894260b66a90685070c0babfee76 (patch)
tree	27021108f64428697744973cddaede55930f4ef7 /spec/initializers
parent	6e4e4023b46c786a99e1cfe8832fa5eff2728e0d (diff)