Merge branch 'security-10-1-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-1'

Filter out sensitive fields from the project services API

See merge request gitlab/gitlabhq!2283

(cherry picked from commit cde3ae62e8f602b8db4fbdd382fba1a90780be7f)

c958086d Filter out sensitive fields from the project services API

1 files changed, 34 insertions, 0 deletions

diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb
index 0f2f906c667..49031b6323e 100644
--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -254,4 +254,38 @@ describe Service do
       end
     end
   end
+
+  describe '#api_field_names' do
+    let(:fake_service) do
+      Class.new(Service) do
+        def fields
+          [
+            { name: 'token' },
+            { name: 'api_token' },
+            { name: 'key' },
+            { name: 'api_key' },
+            { name: 'password' },
+            { name: 'password_field' },
+            { name: 'safe_field' }
+          ]
+        end
+      end
+    end
+
+    let(:service) do
+      fake_service.new(properties: [
+        { token: 'token-value' },
+        { api_token: 'api_token-value' },
+        { key: 'key-value' },
+        { api_key: 'api_key-value' },
+        { password: 'password-value' },
+        { password_field: 'password_field-value' },
+        { safe_field: 'safe_field-value' }
+      ])
+    end
+
+    it 'filters out sensitive fields' do
+      expect(service.api_field_names).to eq(['safe_field'])
+    end
+  end
 end