Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e2cc500e
Commit
e2cc500e
authored
Feb 14, 2019
by
Andrew Newdigate
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Filter note parameters
This change adds `note` to the Rails `filter_parameters` configuration.
parent
e927833b
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
40 additions
and
1 deletion
+40
-1
changelogs/unreleased/filter-note-parameters.yml
changelogs/unreleased/filter-note-parameters.yml
+5
-0
config/application.rb
config/application.rb
+1
-1
spec/config/application_spec.rb
spec/config/application_spec.rb
+34
-0
No files found.
changelogs/unreleased/filter-note-parameters.yml
0 → 100644
View file @
e2cc500e
---
title
:
Include note in the Rails filter_parameters configuration
merge_request
:
25238
author
:
type
:
other
config/application.rb
View file @
e2cc500e
...
...
@@ -97,7 +97,7 @@ module Gitlab
#
# NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
# introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
config
.
filter_parameters
+=
[
/token$/
,
/password/
,
/secret/
,
/key$/
]
config
.
filter_parameters
+=
[
/token$/
,
/password/
,
/secret/
,
/key$/
,
/^note$/
,
/^text$/
]
config
.
filter_parameters
+=
%i(
certificate
encrypted_key
...
...
spec/config/application_spec.rb
0 → 100644
View file @
e2cc500e
# frozen_string_literal: true
require
'spec_helper'
describe
Gitlab
::
Application
do
# rubocop:disable RSpec/FilePath
using
RSpec
::
Parameterized
::
TableSyntax
FILTERED_PARAM
=
ActionDispatch
::
Http
::
ParameterFilter
::
FILTERED
context
'when parameters are logged'
do
describe
'rails does not leak confidential parameters'
do
def
request_for_url
(
input_url
)
env
=
Rack
::
MockRequest
.
env_for
(
input_url
)
env
[
'action_dispatch.parameter_filter'
]
=
described_class
.
config
.
filter_parameters
ActionDispatch
::
Request
.
new
(
env
)
end
where
(
:input_url
,
:output_query
)
do
'/'
|
{}
'/?safe=1'
|
{
'safe'
=>
'1'
}
'/?private_token=secret'
|
{
'private_token'
=>
FILTERED_PARAM
}
'/?mixed=1&private_token=secret'
|
{
'mixed'
=>
'1'
,
'private_token'
=>
FILTERED_PARAM
}
'/?note=secret¬eable=1&prefix_note=2'
|
{
'note'
=>
FILTERED_PARAM
,
'noteable'
=>
'1'
,
'prefix_note'
=>
'2'
}
'/?note[note]=secret&target_type=1'
|
{
'note'
=>
FILTERED_PARAM
,
'target_type'
=>
'1'
}
'/?safe[note]=secret&target_type=1'
|
{
'safe'
=>
{
'note'
=>
FILTERED_PARAM
},
'target_type'
=>
'1'
}
end
with_them
do
it
{
expect
(
request_for_url
(
input_url
).
filtered_parameters
).
to
eq
(
output_query
)
}
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment