Filter out sensitive parameters of metrics datasecure-request-uris

2 files changed, 21 insertions, 1 deletions

diff --git a/lib/gitlab/metrics/rack_middleware.rb b/lib/gitlab/metrics/rack_middleware.rb
index 3fe27779d03..e61670f491c 100644
--- a/lib/gitlab/metrics/rack_middleware.rb
+++ b/lib/gitlab/metrics/rack_middleware.rb
@@ -35,7 +35,7 @@ module Gitlab
       def transaction_from_env(env)
         trans = Transaction.new
 
-        trans.set(:request_uri, env['REQUEST_URI'])
+        trans.set(:request_uri, filtered_path(env))
         trans.set(:request_method, env['REQUEST_METHOD'])
 
         trans
@@ -54,6 +54,10 @@ module Gitlab
 
       private
 
+      def filtered_path(env)
+        ActionDispatch::Request.new(env).filtered_path.presence || env['REQUEST_URI']
+      end
+
       def endpoint_paths_cache
         @endpoint_paths_cache ||= Hash.new do |hash, http_method|
           hash[http_method] = Hash.new do |inner_hash, raw_path|
diff --git a/spec/lib/gitlab/metrics/rack_middleware_spec.rb b/spec/lib/gitlab/metrics/rack_middleware_spec.rb
index 40289f8b972..f264ed64029 100644
--- a/spec/lib/gitlab/metrics/rack_middleware_spec.rb
+++ b/spec/lib/gitlab/metrics/rack_middleware_spec.rb
@@ -58,6 +58,22 @@ describe Gitlab::Metrics::RackMiddleware do
       expect(transaction.values[:request_method]).to eq('GET')
       expect(transaction.values[:request_uri]).to eq('/foo')
     end
+
+    context "when URI includes sensitive parameters" do
+      let(:env) do
+        {
+          'REQUEST_METHOD' => 'GET',
+          'REQUEST_URI'    => '/foo?private_token=my-token',
+          'PATH_INFO' => '/foo',
+          'QUERY_STRING' => 'private_token=my_token',
+          'action_dispatch.parameter_filter' => [:private_token]
+        }
+      end
+
+      it 'stores the request URI with the sensitive parameters filtered' do
+        expect(transaction.values[:request_uri]).to eq('/foo?private_token=[FILTERED]')
+      end
+    end
   end
 
   describe '#tag_controller' do