diff options
| -rw-r--r-- | changelogs/unreleased/sh-filter-csrf-params.yml | 5 | ||||
| -rw-r--r-- | config/application.rb | 15 |
2 files changed, 9 insertions, 11 deletions
diff --git a/changelogs/unreleased/sh-filter-csrf-params.yml b/changelogs/unreleased/sh-filter-csrf-params.yml new file mode 100644 index 00000000000..70eb3321e77 --- /dev/null +++ b/changelogs/unreleased/sh-filter-csrf-params.yml @@ -0,0 +1,5 @@ +--- +title: Filter additional secrets from Rails logs +merge_request: +author: +type: security diff --git a/config/application.rb b/config/application.rb index f69dab4de39..32a290f2002 100644 --- a/config/application.rb +++ b/config/application.rb @@ -51,31 +51,24 @@ module Gitlab # Configure sensitive parameters which will be filtered from the log file. # # Parameters filtered: - # - Password (:password, :password_confirmation) - # - Private tokens + # - Any parameter ending with `_token` + # - Any parameter containing `password` + # - Any parameter containing `secret` # - Two-factor tokens (:otp_attempt) # - Repo/Project Import URLs (:import_url) # - Build variables (:variables) # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key) # - Webhook URLs (:hook) - # - GitLab-shell secret token (:secret_token) # - Sentry DSN (:sentry_dsn) # - Deploy keys (:key) + config.filter_parameters += [/_token$/, /password/, /secret/] config.filter_parameters += %i( - authentication_token certificate encrypted_key hook import_url - incoming_email_token - rss_token key otp_attempt - password - password_confirmation - private_token - runners_token - secret_token sentry_dsn variables ) |