From e2cc500e4e6b27bd158a84cf7d38768fd28fa642 Mon Sep 17 00:00:00 2001
From: Andrew Newdigate <andrew@gitlab.com>
Date: Thu, 14 Feb 2019 09:25:25 +0200
Subject: [PATCH] Filter note parameters

This change adds `note` to the Rails `filter_parameters` configuration.
---
 .../unreleased/filter-note-parameters.yml     |  5 +++
 config/application.rb                         |  2 +-
 spec/config/application_spec.rb               | 34 +++++++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/filter-note-parameters.yml
 create mode 100644 spec/config/application_spec.rb

diff --git a/changelogs/unreleased/filter-note-parameters.yml b/changelogs/unreleased/filter-note-parameters.yml
new file mode 100644
index 00000000000..fca2a394820
--- /dev/null
+++ b/changelogs/unreleased/filter-note-parameters.yml
@@ -0,0 +1,5 @@
+---
+title: Include note in the Rails filter_parameters configuration
+merge_request: 25238
+author:
+type: other
diff --git a/config/application.rb b/config/application.rb
index 92a3d031c63..49e7f5836e4 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -97,7 +97,7 @@ module Gitlab
     #
     # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
     #       introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
-    config.filter_parameters += [/token$/, /password/, /secret/, /key$/]
+    config.filter_parameters += [/token$/, /password/, /secret/, /key$/, /^note$/, /^text$/]
     config.filter_parameters += %i(
       certificate
       encrypted_key
diff --git a/spec/config/application_spec.rb b/spec/config/application_spec.rb
new file mode 100644
index 00000000000..01ed81964c3
--- /dev/null
+++ b/spec/config/application_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Application do # rubocop:disable RSpec/FilePath
+  using RSpec::Parameterized::TableSyntax
+
+  FILTERED_PARAM = ActionDispatch::Http::ParameterFilter::FILTERED
+
+  context 'when parameters are logged' do
+    describe 'rails does not leak confidential parameters' do
+      def request_for_url(input_url)
+        env = Rack::MockRequest.env_for(input_url)
+        env['action_dispatch.parameter_filter'] = described_class.config.filter_parameters
+
+        ActionDispatch::Request.new(env)
+      end
+
+      where(:input_url, :output_query) do
+        '/'                                      | {}
+        '/?safe=1'                               | { 'safe' => '1' }
+        '/?private_token=secret'                 | { 'private_token' => FILTERED_PARAM }
+        '/?mixed=1&private_token=secret'         | { 'mixed' => '1', 'private_token' => FILTERED_PARAM }
+        '/?note=secret&noteable=1&prefix_note=2' | { 'note' => FILTERED_PARAM, 'noteable' => '1', 'prefix_note' => '2' }
+        '/?note[note]=secret&target_type=1'      | { 'note' => FILTERED_PARAM, 'target_type' => '1' }
+        '/?safe[note]=secret&target_type=1'      | { 'safe' => { 'note' => FILTERED_PARAM }, 'target_type' => '1' }
+      end
+
+      with_them do
+        it { expect(request_for_url(input_url).filtered_parameters).to eq(output_query) }
+      end
+    end
+  end
+end