Filter additional secrets from Rails logs

Upon inspection of logs, there were a number of fields not filtered. For example:

* authenticity_token: CSRF token
* rss_token: Used for RSS feeds
* secret: Used with Projects::UploadController

Rails provides a way to match regexps, so we now filter:

* Any parameter ending with `_token`
* Any parameter containing `password`
* Any parameter containing `secret`
This commit is contained in:
Stan Hu 2017-08-30 21:14:29 -07:00
parent 172cb70d4c
commit d74fecac03
2 changed files with 9 additions and 11 deletions

View file

@ -0,0 +1,5 @@
---
title: Filter additional secrets from Rails logs
merge_request:
author:
type: security

View file

@ -51,31 +51,24 @@ module Gitlab
# Configure sensitive parameters which will be filtered from the log file.
#
# Parameters filtered:
# - Password (:password, :password_confirmation)
# - Private tokens
# - Any parameter ending with `_token`
# - Any parameter containing `password`
# - Any parameter containing `secret`
# - Two-factor tokens (:otp_attempt)
# - Repo/Project Import URLs (:import_url)
# - Build variables (:variables)
# - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
# - Webhook URLs (:hook)
# - GitLab-shell secret token (:secret_token)
# - Sentry DSN (:sentry_dsn)
# - Deploy keys (:key)
config.filter_parameters += [/_token$/, /password/, /secret/]
config.filter_parameters += %i(
authentication_token
certificate
encrypted_key
hook
import_url
incoming_email_token
rss_token
key
otp_attempt
password
password_confirmation
private_token
runners_token
secret_token
sentry_dsn
variables
)