Filter any parameters ending with "key" in logs

Rails does a partial match for strings in the filter_parameters
configuration, so the parameter "key" causes "key_id" to be filtered
even though it's a useful parameter for debugging internal API issues.

We now revise this filter to make any parameter ending with "key" is
filtered.

Relates to https://gitlab.com/gitlab-com/gl-infra/production/issues/463

2 files changed, 7 insertions, 3 deletions

diff --git a/changelogs/unreleased/sh-allow-key-id-in-params.yml b/changelogs/unreleased/sh-allow-key-id-in-params.yml
new file mode 100644
index 00000000000..2be1cfb0ed3
--- /dev/null
+++ b/changelogs/unreleased/sh-allow-key-id-in-params.yml
@@ -0,0 +1,5 @@
+---
+title: Filter any parameters ending with "key" in logs
+merge_request: 21688
+author:
+type: changed
diff --git a/config/application.rb b/config/application.rb
index fae92f6f372..f3c53fa63f3 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -85,6 +85,7 @@ module Gitlab
     # - Any parameter ending with `token`
     # - Any parameter containing `password`
     # - Any parameter containing `secret`
+    # - Any parameter ending with `key`
     # - Two-factor tokens (:otp_attempt)
     # - Repo/Project Import URLs (:import_url)
     # - Build traces (:trace)
@@ -92,15 +93,13 @@ module Gitlab
     # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
     # - Webhook URLs (:hook)
     # - Sentry DSN (:sentry_dsn)
-    # - Deploy keys (:key)
     # - File content from Web Editor (:content)
-    config.filter_parameters += [/token$/, /password/, /secret/]
+    config.filter_parameters += [/token$/, /password/, /secret/, /key$/]
     config.filter_parameters += %i(
       certificate
       encrypted_key
       hook
       import_url
-      key
       otp_attempt
       sentry_dsn
       trace