Merge branch 'secure-request-uris' into 'master'

Filter out sensitive parameters of metrics data

See merge request !4748

CHANGELOG

@@ -130,6 +130,7 @@ v 8.8.5 (unreleased)
   - Set inverse_of for Project/Service association to reduce the number of queries
   - Update tanuki logo highlight/loading colors
   - Use Git cached counters for branches and tags on project page
+  - Filter parameters for request_uri value on instrumented transactions.
 
 v 8.8.5
   - Import GitHub repositories respecting the API rate limit !4166

lib/gitlab/metrics/rack_middleware.rb

@@ -35,7 +35,7 @@ module Gitlab
       def transaction_from_env(env)
         trans = Transaction.new
 
-        trans.set(:request_uri, env['REQUEST_URI'])
+        trans.set(:request_uri, filtered_path(env))
         trans.set(:request_method, env['REQUEST_METHOD'])
 
         trans
@@ -54,6 +54,10 @@ module Gitlab
 
       private
 
+      def filtered_path(env)
+        ActionDispatch::Request.new(env).filtered_path.presence || env['REQUEST_URI']
+      end
+
       def endpoint_paths_cache
         @endpoint_paths_cache ||= Hash.new do |hash, http_method|
           hash[http_method] = Hash.new do |inner_hash, raw_path|

spec/lib/gitlab/metrics/rack_middleware_spec.rb

@@ -58,6 +58,22 @@ describe Gitlab::Metrics::RackMiddleware do
       expect(transaction.values[:request_method]).to eq('GET')
       expect(transaction.values[:request_uri]).to eq('/foo')
     end
+
+    context "when URI includes sensitive parameters" do
+      let(:env) do
+        {
+          'REQUEST_METHOD' => 'GET',
+          'REQUEST_URI'    => '/foo?private_token=my-token',
+          'PATH_INFO' => '/foo',
+          'QUERY_STRING' => 'private_token=my_token',
+          'action_dispatch.parameter_filter' => [:private_token]
+        }
+      end
+
+      it 'stores the request URI with the sensitive parameters filtered' do
+        expect(transaction.values[:request_uri]).to eq('/foo?private_token=[FILTERED]')
+      end
+    end
   end
 
   describe '#tag_controller' do