Skip to content

G
gitlab-ce
Commit 5c072495 authored by Ryan Cobb's avatar Ryan Cobb
Browse files
Options

Mask Sentry auth token 

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.
parent 1425a56c
Hide whitespace changes
Inline Side-by-side
Showing with 51 additions and 4 deletions
app/services/error_tracking/list_projects_service.rb
View file @ 5c072495
......@@ -32,7 +32,7 @@ module ErrorTracking
project_slug: 'proj'
)
setting.token = params[:token]
setting.token = token(setting)
setting.enabled = true
end
end
......@@ -40,5 +40,12 @@ module ErrorTracking
def can_read?
can?(current_user, :read_sentry_issue, project)
end
def token(setting)
# Use param token if not masked, otherwise use database token
return params[:token] unless /\A\*+\z/.match?(params[:token])
setting.token
end
end
end
app/services/projects/operations/update_service.rb
View file @ 5c072495
......@@ -36,15 +36,17 @@ module Projects
organization_slug: settings.dig(:project, :organization_slug)
)
{
params = {
error_tracking_setting_attributes: {
api_url: api_url,
token: settings[:token],
enabled: settings[:enabled],
project_name: settings.dig(:project, :name),
organization_name: settings.dig(:project, :organization_name)
}
}
params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
params
end
def grafana_integration_params
......
app/views/projects/settings/operations/_error_tracking.html.haml
View file @ 5c072495
......@@ -17,4 +17,4 @@
project: error_tracking_setting_project_json,
api_host: setting.api_host,
enabled: setting.enabled.to_json,
token: setting.token } }
token: setting.token.present? ? '*' * 12 : nil } }
changelogs/unreleased/security-mask-sentry-token-ce.yml 0 → 100644
View file @ 5c072495
---
title: Mask sentry auth token in Error Tracking dashboard
author:
type: security
spec/services/error_tracking/list_projects_service_spec.rb
View file @ 5c072495
......@@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do
end
end
context 'masked param token' do
let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
before do
expect(error_tracking_setting).to receive(:list_sentry_projects)
.and_return({ projects: [] })
end
it 'uses database token' do
expect { subject.execute }.not_to change { error_tracking_setting.token }
end
end
context 'sentry client raises exception' do
context 'Sentry::Client::Error' do
before do
......
spec/services/projects/operations/update_service_spec.rb
View file @ 5c072495
......@@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do
end
end
context 'with masked param token' do
let(:params) do
{
error_tracking_setting_attributes: {
enabled: false,
token: '*' * 8
}
}
end
before do
create(:project_error_tracking_setting, project: project, token: 'token')
end
it 'does not update token' do
expect(result[:status]).to eq(:success)
expect(project.error_tracking_setting.token).to eq('token')
end
end
context 'with invalid parameters' do
let(:params) { {} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7