Commit 9b4b1542 authored by Markus Koller's avatar Markus Koller

Merge branch 'query-params-allowlist' into 'master'

Add allow list approach to mask query params

See merge request gitlab-org/gitlab!73946
parents 75dc51f0 a1a47383
......@@ -3,10 +3,7 @@
module Routing
module PseudonymizationHelper
class MaskHelper
QUERY_PARAMS_TO_MASK = %w[
assignee_username
author_username
].freeze
QUERY_PARAMS_TO_NOT_MASK = %w[].freeze
def initialize(request_object, group, project)
@request = request_object
......@@ -58,10 +55,10 @@ module Routing
query_string_hash = Rack::Utils.parse_nested_query(@request.query_string)
QUERY_PARAMS_TO_MASK.each do |maskable_attribute|
next unless query_string_hash.has_key?(maskable_attribute)
query_string_hash.keys.each do |key|
next if QUERY_PARAMS_TO_NOT_MASK.include?(key)
query_string_hash[maskable_attribute] = "masked_#{maskable_attribute}"
query_string_hash[key] = "masked_#{key}"
end
query_string_hash
......
......@@ -160,7 +160,7 @@ RSpec.describe ::Routing::PseudonymizationHelper do
end
context 'when author_username is present' do
let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=all&state=opened" }
let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=masked_scope&state=masked_state" }
let(:request) do
double(:Request,
path_parameters: {
......@@ -179,8 +179,29 @@ RSpec.describe ::Routing::PseudonymizationHelper do
it_behaves_like 'masked url'
end
context 'when some query params are not required to be masked' do
let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=all&state=masked_state" }
let(:request) do
double(:Request,
path_parameters: {
controller: 'dashboard',
action: 'issues'
},
protocol: 'http',
host: 'localhost',
query_string: 'author_username=root&scope=all&state=opened')
end
before do
stub_const('Routing::PseudonymizationHelper::MaskHelper::QUERY_PARAMS_TO_NOT_MASK', %w[scope].freeze)
allow(helper).to receive(:request).and_return(request)
end
it_behaves_like 'masked url'
end
context 'when query string has keys with the same names as path params' do
let(:masked_url) { "http://localhost/dashboard/issues?action=foobar&scope=all&state=opened" }
let(:masked_url) { "http://localhost/dashboard/issues?action=masked_action&scope=masked_scope&state=masked_state" }
let(:request) do
double(:Request,
path_parameters: {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment