Merge branch 'sh-filter-csrf-params' into 'master'

Filter additional parameters that have shown up in our logs See merge request !13945

Merge branch 'sh-filter-csrf-params' into 'master'
019b18f3 · Robert Speicher · bda435f6 · d74fecac · 019b18f3 · 019b18f3
Commit 019b18f3 authored Aug 31, 2017 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 11 deletions

sh-filter-csrf-params.yml changelogs/unreleased/sh-filter-csrf-params.yml +5 -0

application.rb config/application.rb +4 -11

No files found.
--- a/changelogs/unreleased/sh-filter-csrf-params.yml
+++ b/changelogs/unreleased/sh-filter-csrf-params.yml
+---
+title: Filter additional secrets from Rails logs
+merge_request:
+author:
+type: security
--- a/config/application.rb
+++ b/config/application.rb
@@ -51,31 +51,24 @@ module Gitlab
    # Configure sensitive parameters which will be filtered from the log file.
    #
    # Parameters filtered:
-    # - Password (:password, :password_confirmation)
-    # - Private tokens
+    # - Any parameter ending with `_token`
+    # - Any parameter containing `password`
+    # - Any parameter containing `secret`
    # - Two-factor tokens (:otp_attempt)
    # - Repo/Project Import URLs (:import_url)
    # - Build variables (:variables)
    # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
    # - Webhook URLs (:hook)
-    # - GitLab-shell secret token (:secret_token)
    # - Sentry DSN (:sentry_dsn)
    # - Deploy keys (:key)
+    config.filter_parameters += [/_token$/, /password/, /secret/]
    config.filter_parameters += %i(
-      authentication_token
      certificate
      encrypted_key
      hook
      import_url
-      incoming_email_token
-      rss_token
      key
      otp_attempt
-      password
-      password_confirmation
-      private_token
-      runners_token
-      secret_token
      sentry_dsn
      variables
    )