Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

changelogs/unreleased/security-filter-graphql-logs.yml

+---
+title: Filter sensitive GraphQL variables from logs
+merge_request:
+author:
+type: security

lib/gitlab/graphql/query_analyzers/logger_analyzer.rb

@@ -49,13 +49,21 @@ module Gitlab
         private
 
         def process_variables(variables)
-          if variables.respond_to?(:to_s)
-            variables.to_s
+          filtered_variables = filter_sensitive_variables(variables)
+
+          if filtered_variables.respond_to?(:to_s)
+            filtered_variables.to_s
           else
-            variables
+            filtered_variables
           end
         end
 
+        def filter_sensitive_variables(variables)
+          ActiveSupport::ParameterFilter
+            .new(::Rails.application.config.filter_parameters)
+            .filter(variables)
+        end
+
         def duration(time_started)
           Gitlab::Metrics::System.monotonic_time - time_started
         end

spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb

@@ -40,4 +40,22 @@ RSpec.describe Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer do
       end
     end
   end
+
+  describe '#initial_value' do
+    it 'filters out sensitive variables' do
+      doc = GraphQL.parse <<-GRAPHQL
+        mutation createNote($body: String!) {
+          createNote(input: {noteableId: "1", body: $body}) {
+            note {
+              id
+            }
+          }
+        }
+      GRAPHQL
+
+      query = GraphQL::Query.new(GitlabSchema, document: doc, context: {}, variables: { body: "some note" })
+
+      expect(subject.initial_value(query)[:variables]).to eq('{:body=>"[FILTERED]"}')
+    end
+  end
 end