spec/config/application_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Gitlab::Application, feature_category: :scalability do # rubocop:disable RSpec/FilePath
  using RSpec::Parameterized::TableSyntax

  filtered_param = ActiveSupport::ParameterFilter::FILTERED

  context 'when parameters are logged' do
    describe 'rails does not leak confidential parameters' do
      def request_for_url(input_url)
        env = Rack::MockRequest.env_for(input_url)
        env['action_dispatch.parameter_filter'] = described_class.config.filter_parameters

        ActionDispatch::Request.new(env)
      end

      where(:input_url, :output_query) do
        '/'                                      | {}
        '/?safe=1'                               | { 'safe' => '1' }
        '/?private_token=secret'                 | { 'private_token' => filtered_param }
        '/?mixed=1&private_token=secret'         | { 'mixed' => '1', 'private_token' => filtered_param }
        '/?note=secret&noteable=1&prefix_note=2' | { 'note' => filtered_param, 'noteable' => '1', 'prefix_note' => '2' }
        '/?note[note]=secret&target_type=1'      | { 'note' => filtered_param, 'target_type' => '1' }
        '/?safe[note]=secret&target_type=1'      | { 'safe' => { 'note' => filtered_param }, 'target_type' => '1' }
      end

      with_them do
        it { expect(request_for_url(input_url).filtered_parameters).to eq(output_query) }
      end
    end
  end
end