Merge branch 'query-params-allowlist' into 'master'

Add allow list approach to mask query params See merge request gitlab-org/gitlab!73946

Merge branch 'query-params-allowlist' into 'master'
Add allow list approach to mask query params See merge request gitlab-org/gitlab!73946
9b4b1542 · Markus Koller · 75dc51f0 · a1a47383 · 9b4b1542 · 9b4b1542
Commit 9b4b1542 authored Nov 15, 2021 by Markus Koller
Showing with 27 additions and 9 deletions

app/helpers/routing/pseudonymization_helper.rb app/helpers/routing/pseudonymization_helper.rb +4 -7

spec/helpers/routing/pseudonymization_helper_spec.rb spec/helpers/routing/pseudonymization_helper_spec.rb +23 -2

No files found.
--- a/app/helpers/routing/pseudonymization_helper.rb
+++ b/app/helpers/routing/pseudonymization_helper.rb
@@ -3,10 +3,7 @@
 module Routing
  module PseudonymizationHelper
    class MaskHelper
-      QUERY_PARAMS_TO_MASK = %w[
+      QUERY_PARAMS_TO_NOT_MASK = %w[].freeze
-        assignee_username
-        author_username
-      ].freeze
      def initialize(request_object, group, project)
        @request = request_object
@@ -58,10 +55,10 @@ module Routing
        query_string_hash = Rack::Utils.parse_nested_query(@request.query_string)
-        QUERY_PARAMS_TO_MASK.each do |maskable_attribute|
+        query_string_hash.keys.each do |key|
-          next unless query_string_hash.has_key?(maskable_attribute)
+          next if QUERY_PARAMS_TO_NOT_MASK.include?(key)
-          query_string_hash[maskable_attribute] = "masked_#{maskable_attribute}"
+          query_string_hash[key] = "masked_#{key}"
        end
        query_string_hash

--- a/spec/helpers/routing/pseudonymization_helper_spec.rb
+++ b/spec/helpers/routing/pseudonymization_helper_spec.rb
@@ -160,7 +160,7 @@ RSpec.describe ::Routing::PseudonymizationHelper do
    end
    context 'when author_username is present' do
-      let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=all&state=opened" }
+      let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=masked_scope&state=masked_state" }
      let(:request) do
        double(:Request,
               path_parameters: {
@@ -179,8 +179,29 @@ RSpec.describe ::Routing::PseudonymizationHelper do
      it_behaves_like 'masked url'
    end
+    context 'when some query params are not required to be masked' do
+      let(:masked_url) { "http://localhost/dashboard/issues?author_username=masked_author_username&scope=all&state=masked_state" }
+      let(:request) do
+        double(:Request,
+               path_parameters: {
+                controller: 'dashboard',
+                action: 'issues'
+               },
+               protocol: 'http',
+               host: 'localhost',
+               query_string: 'author_username=root&scope=all&state=opened')
+      end
+      before do
+        stub_const('Routing::PseudonymizationHelper::MaskHelper::QUERY_PARAMS_TO_NOT_MASK', %w[scope].freeze)
+        allow(helper).to receive(:request).and_return(request)
+      end
+      it_behaves_like 'masked url'
+    end
    context 'when query string has keys with the same names as path params' do
-      let(:masked_url) { "http://localhost/dashboard/issues?action=foobar&scope=all&state=opened" }
+      let(:masked_url) { "http://localhost/dashboard/issues?action=masked_action&scope=masked_scope&state=masked_state" }
      let(:request) do
        double(:Request,
               path_parameters: {