Sanitize LDAP output in Rake tasks

The various LDAP check Rake tasks have long supported a SANITIZE
environment variable. When present, identifiable information is
obscured such as user names and project/group names. Until now,
the LDAP check did not honor this. Now it will only say how many
users were found. This should at least give the indication that
the LDAP configuration found something, but will not leak what
it is. Resolves #56131
This commit is contained in:
Drew Blessing 2019-05-17 15:26:15 -05:00
parent c10bde1ff0
commit 05d5504d07
3 changed files with 21 additions and 2 deletions

View file

@ -0,0 +1,5 @@
---
title: Sanitize LDAP output in Rake tasks
merge_request: 28427
author:
type: fixed

View file

@ -33,8 +33,13 @@ module SystemCheck
$stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)"
users = adapter.users(adapter.config.uid, '*', limit)
users.each do |user|
$stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
if should_sanitize?
$stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit."
else
users.each do |user|
$stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
end
end
end
rescue Net::LDAP::ConnectionRefusedError, Errno::ECONNREFUSED => e

View file

@ -96,6 +96,15 @@ describe 'check.rake' do
subject
end
it 'sanitizes output' do
user = double(dn: 'uid=fake_user1', uid: 'fake_user1')
allow(adapter).to receive(:users).and_return([user])
stub_env('SANITIZE', 'true')
expect { subject }.to output(/User output sanitized/).to_stdout
expect { subject }.not_to output('fake_user1').to_stdout
end
end
end
end