Merge branch 'security-event-counters-private-data' into 'master'

[master] Don't expose project names in various counters See merge request gitlab/gitlabhq!2418
2018-07-24 20:25:25 +00:00 · 2018-07-24 20:25:25 +00:00 · 236ed1f2f3
commit 236ed1f2f3
parent f5b45519db 9e29408ee6
19 changed files with 20 additions and 38 deletions
--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@ -48,13 +48,13 @@ class RemoteMirror < ActiveRecord::Base
    state :failed

    after_transition any => :started do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_running, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_running)

      remote_mirror.update(last_update_started_at: Time.now)
    end

    after_transition started: :finished do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_finished, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_finished)

      timestamp = Time.now
      remote_mirror.update!(
@ -63,7 +63,7 @@ class RemoteMirror < ActiveRecord::Base
    end

    after_transition started: :failed do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_failed, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_failed)

      remote_mirror.update(last_update_at: Time.now)
    end
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@ -1029,7 +1029,7 @@ class Repository
  end

  def repository_event(event, tags = {})
-    Gitlab::Metrics.add_event(event, { path: full_path }.merge(tags))
+    Gitlab::Metrics.add_event(event, tags)
  end

  def initialize_raw_repository
--- a/app/workers/concerns/gitlab/github_import/object_importer.rb
+++ b/app/workers/concerns/gitlab/github_import/object_importer.rb
@ -22,7 +22,7 @@ module Gitlab

        importer_class.new(object, project, client).execute

-        counter.increment(project: project.full_path)
+        counter.increment
      end

      def counter
--- a/app/workers/repository_fork_worker.rb
+++ b/app/workers/repository_fork_worker.rb
@ -23,9 +23,7 @@ class RepositoryForkWorker
  def fork_repository(target_project, source_repository_storage_name, source_disk_path)
    return unless start_fork(target_project)

-    Gitlab::Metrics.add_event(:fork_repository,
-                              source_path: source_disk_path,
-                              target_path: target_project.disk_path)
+    Gitlab::Metrics.add_event(:fork_repository)

    result = gitlab_shell.fork_repository(source_repository_storage_name, source_disk_path,
                                          target_project.repository_storage, target_project.disk_path)
--- a/app/workers/repository_import_worker.rb
+++ b/app/workers/repository_import_worker.rb
@ -11,9 +11,7 @@ class RepositoryImportWorker

    return unless start_import(project)

-    Gitlab::Metrics.add_event(:import_repository,
-                              import_url: project.import_url,
-                              path: project.full_path)
+    Gitlab::Metrics.add_event(:import_repository)

    service = Projects::ImportService.new(project, project.creator)
    result = service.execute
--- a/changelogs/unreleased/event-counters-private-data.yml
+++ b/changelogs/unreleased/event-counters-private-data.yml
@ -0,0 +1,5 @@
+---
+title: Don't expose project names in various counters
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/pr-importer-project-name.yml
+++ b/changelogs/unreleased/pr-importer-project-name.yml
@ -0,0 +1,5 @@
+---
+title: Don't expose project names in GitHub counters
+merge_request:
+author:
+type: security
--- a/lib/api/runner.rb
+++ b/lib/api/runner.rb
@ -108,8 +108,7 @@ module API

        if result.valid?
          if result.build
-            Gitlab::Metrics.add_event(:build_found,
-                                      project: result.build.project.full_path)
+            Gitlab::Metrics.add_event(:build_found)
            present result.build, with: Entities::JobRequest::Response
          else
            Gitlab::Metrics.add_event(:build_not_found)
@ -140,8 +139,7 @@ module API

        job.trace.set(params[:trace]) if params[:trace]

-        Gitlab::Metrics.add_event(:update_build,
-                                  project: job.project.full_path)
+        Gitlab::Metrics.add_event(:update_build)

        case params[:state].to_s
        when 'running'
--- a/lib/gitlab/email/handler/create_issue_handler.rb
+++ b/lib/gitlab/email/handler/create_issue_handler.rb
@ -36,10 +36,6 @@ module Gitlab
          @project ||= Project.find_by_full_path(project_path)
        end

-        def metrics_params
-          super.merge(project: project&.full_path)
-        end
-
        private

        def create_issue
--- a/lib/gitlab/email/handler/create_merge_request_handler.rb
+++ b/lib/gitlab/email/handler/create_merge_request_handler.rb
@ -40,10 +40,6 @@ module Gitlab
          @project ||= Project.find_by_full_path(project_path)
        end

-        def metrics_params
-          super.merge(project: project&.full_path)
-        end
-
        private

        def create_merge_request
--- a/lib/gitlab/email/handler/create_note_handler.rb
+++ b/lib/gitlab/email/handler/create_note_handler.rb
@ -28,10 +28,6 @@ module Gitlab
            record_name: 'comment')
        end

-        def metrics_params
-          super.merge(project: project&.full_path)
-        end
-
        private

        def author
--- a/lib/gitlab/email/handler/unsubscribe_handler.rb
+++ b/lib/gitlab/email/handler/unsubscribe_handler.rb
@ -20,10 +20,6 @@ module Gitlab
          noteable.unsubscribe(sent_notification.recipient)
        end

-        def metrics_params
-          super.merge(project: project&.full_path)
-        end
-
        private

        def sent_notification
--- a/lib/gitlab/github_import/importer/pull_requests_importer.rb
+++ b/lib/gitlab/github_import/importer/pull_requests_importer.rb
@ -43,7 +43,7 @@ module Gitlab
          Rails.logger
            .info("GitHub importer finished updating repository for #{pname}")

-          repository_updates_counter.increment(project: pname)
+          repository_updates_counter.increment
        end

        def update_repository?(pr)
--- a/spec/lib/gitlab/github_import/importer/pull_requests_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/pull_requests_importer_spec.rb
@ -158,7 +158,6 @@ describe Gitlab::GithubImport::Importer::PullRequestsImporter do

      expect(importer.repository_updates_counter)
        .to receive(:increment)
-        .with(project: project.path_with_namespace)
        .and_call_original

      Timecop.freeze do
--- a/spec/workers/concerns/gitlab/github_import/object_importer_spec.rb
+++ b/spec/workers/concerns/gitlab/github_import/object_importer_spec.rb
@ -51,7 +51,6 @@ describe Gitlab::GithubImport::ObjectImporter do

      expect(worker.counter)
        .to receive(:increment)
-        .with(project: 'foo/bar')
        .and_call_original

      worker.import(project, client, { 'number' => 10 })
--- a/spec/workers/gitlab/github_import/import_diff_note_worker_spec.rb
+++ b/spec/workers/gitlab/github_import/import_diff_note_worker_spec.rb
@ -33,7 +33,6 @@ describe Gitlab::GithubImport::ImportDiffNoteWorker do

      expect(worker.counter)
        .to receive(:increment)
-        .with(project: 'foo/bar')
        .and_call_original

      worker.import(project, client, hash)
--- a/spec/workers/gitlab/github_import/import_issue_worker_spec.rb
+++ b/spec/workers/gitlab/github_import/import_issue_worker_spec.rb
@ -36,7 +36,6 @@ describe Gitlab::GithubImport::ImportIssueWorker do

      expect(worker.counter)
        .to receive(:increment)
-        .with(project: 'foo/bar')
        .and_call_original

      worker.import(project, client, hash)
--- a/spec/workers/gitlab/github_import/import_note_worker_spec.rb
+++ b/spec/workers/gitlab/github_import/import_note_worker_spec.rb
@ -31,7 +31,6 @@ describe Gitlab::GithubImport::ImportNoteWorker do

      expect(worker.counter)
        .to receive(:increment)
-        .with(project: 'foo/bar')
        .and_call_original

      worker.import(project, client, hash)
--- a/spec/workers/gitlab/github_import/import_pull_request_worker_spec.rb
+++ b/spec/workers/gitlab/github_import/import_pull_request_worker_spec.rb
@ -42,7 +42,6 @@ describe Gitlab::GithubImport::ImportPullRequestWorker do

      expect(worker.counter)
        .to receive(:increment)
-        .with(project: 'foo/bar')
        .and_call_original

      worker.import(project, client, hash)