diff options
author | Sean McGivern <sean@gitlab.com> | 2018-01-05 19:46:53 +0000 |
---|---|---|
committer | Tiago Botelho <tiago@gitlab.com> | 2018-01-08 13:36:36 +0000 |
commit | 3a163509588d83748c4333ad7a74ac077da4c953 (patch) | |
tree | 661435cfe85917a87a9756de52265f52910a403f | |
parent | 14861b04cd5ab620420fd2d9b2b241017d5bdf4a (diff) | |
download | gitlab-ce-3a163509588d83748c4333ad7a74ac077da4c953.tar.gz |
Merge branch 'security-10-1-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-1'
Filter out sensitive fields from the project services API
See merge request gitlab/gitlabhq!2283
(cherry picked from commit cde3ae62e8f602b8db4fbdd382fba1a90780be7f)
c958086d Filter out sensitive fields from the project services API
-rw-r--r-- | app/models/service.rb | 5 | ||||
-rw-r--r-- | changelogs/unreleased/api-no-service-pw-output.yml | 5 | ||||
-rw-r--r-- | lib/api/entities.rb | 5 | ||||
-rw-r--r-- | lib/api/services.rb | 2 | ||||
-rw-r--r-- | lib/api/v3/entities.rb | 5 | ||||
-rw-r--r-- | lib/api/v3/services.rb | 2 | ||||
-rw-r--r-- | spec/models/service_spec.rb | 34 | ||||
-rw-r--r-- | spec/requests/api/services_spec.rb | 4 | ||||
-rw-r--r-- | spec/support/services_shared_context.rb | 8 |
9 files changed, 52 insertions, 18 deletions
diff --git a/app/models/service.rb b/app/models/service.rb index 6b64079215f..ebc6407a414 100644 --- a/app/models/service.rb +++ b/app/models/service.rb @@ -117,6 +117,11 @@ class Service < ActiveRecord::Base nil end + def api_field_names + fields.map { |field| field[:name] } + .reject { |field_name| field_name =~ /(password|token|key)/ } + end + def global_fields fields end diff --git a/changelogs/unreleased/api-no-service-pw-output.yml b/changelogs/unreleased/api-no-service-pw-output.yml new file mode 100644 index 00000000000..f0d0adaad1c --- /dev/null +++ b/changelogs/unreleased/api-no-service-pw-output.yml @@ -0,0 +1,5 @@ +--- +title: Filter out sensitive fields from the project services API +merge_request: +author: Robert Schilling +type: security diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 5f0bad14839..311a6dda200 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -661,10 +661,7 @@ module API expose :job_events # Expose serialized properties expose :properties do |service, options| - field_names = service.fields - .select { |field| options[:include_passwords] || field[:type] != 'password' } - .map { |field| field[:name] } - service.properties.slice(*field_names) + service.properties.slice(*service.api_field_names) end end diff --git a/lib/api/services.rb b/lib/api/services.rb index 2cbd0517dc3..1e21761c6db 100644 --- a/lib/api/services.rb +++ b/lib/api/services.rb @@ -642,7 +642,7 @@ module API service_params = declared_params(include_missing: false).merge(active: true) if service.update_attributes(service_params) - present service, with: Entities::ProjectService, include_passwords: current_user.admin? + present service, with: Entities::ProjectService else render_api_error!('400 Bad Request', 400) end diff --git a/lib/api/v3/entities.rb b/lib/api/v3/entities.rb index afdd7b83998..d472fa964c2 100644 --- a/lib/api/v3/entities.rb +++ b/lib/api/v3/entities.rb @@ -257,10 +257,7 @@ module API expose :job_events, as: :build_events # Expose serialized properties expose :properties do |service, options| - field_names = service.fields - .select { |field| options[:include_passwords] || field[:type] != 'password' } - .map { |field| field[:name] } - service.properties.slice(*field_names) + service.properties.slice(*service.api_field_names) end end diff --git a/lib/api/v3/services.rb b/lib/api/v3/services.rb index 2d13d6fabfd..a9f60095531 100644 --- a/lib/api/v3/services.rb +++ b/lib/api/v3/services.rb @@ -602,7 +602,7 @@ module API end get ":id/services/:service_slug" do service = user_project.find_or_initialize_service(params[:service_slug].underscore) - present service, with: Entities::ProjectService, include_passwords: current_user.admin? + present service, with: Entities::ProjectService end end diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb index 0f2f906c667..49031b6323e 100644 --- a/spec/models/service_spec.rb +++ b/spec/models/service_spec.rb @@ -254,4 +254,38 @@ describe Service do end end end + + describe '#api_field_names' do + let(:fake_service) do + Class.new(Service) do + def fields + [ + { name: 'token' }, + { name: 'api_token' }, + { name: 'key' }, + { name: 'api_key' }, + { name: 'password' }, + { name: 'password_field' }, + { name: 'safe_field' } + ] + end + end + end + + let(:service) do + fake_service.new(properties: [ + { token: 'token-value' }, + { api_token: 'api_token-value' }, + { key: 'key-value' }, + { api_key: 'api_key-value' }, + { password: 'password-value' }, + { password_field: 'password_field-value' }, + { safe_field: 'safe_field-value' } + ]) + end + + it 'filters out sensitive fields' do + expect(service.api_field_names).to eq(['safe_field']) + end + end end diff --git a/spec/requests/api/services_spec.rb b/spec/requests/api/services_spec.rb index 7e174903918..42c58569b52 100644 --- a/spec/requests/api/services_spec.rb +++ b/spec/requests/api/services_spec.rb @@ -81,14 +81,14 @@ describe API::Services do get api("/projects/#{project.id}/services/#{dashed_service}", admin) expect(response).to have_http_status(200) - expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list.map) + expect(json_response['properties'].keys).to match_array(service_instance.api_field_names) end it "returns properties of service #{service} other than passwords when authenticated as project owner" do get api("/projects/#{project.id}/services/#{dashed_service}", user) expect(response).to have_http_status(200) - expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list_without_passwords) + expect(json_response['properties'].keys).to match_array(service_instance.api_field_names) end it "returns error when authenticated but not a project owner" do diff --git a/spec/support/services_shared_context.rb b/spec/support/services_shared_context.rb index 7457484a932..b17da18d4d5 100644 --- a/spec/support/services_shared_context.rb +++ b/spec/support/services_shared_context.rb @@ -3,13 +3,9 @@ Service.available_services_names.each do |service| let(:dashed_service) { service.dasherize } let(:service_method) { "#{service}_service".to_sym } let(:service_klass) { "#{service}_service".classify.constantize } - let(:service_fields) { service_klass.new.fields } + let(:service_instance) { service_klass.new } + let(:service_fields) { service_instance.fields } let(:service_attrs_list) { service_fields.inject([]) {|arr, hash| arr << hash[:name].to_sym } } - let(:service_attrs_list_without_passwords) do - service_fields - .select { |field| field[:type] != 'password' } - .map { |field| field[:name].to_sym} - end let(:service_attrs) do service_attrs_list.inject({}) do |hash, k| if k =~ /^(token*|.*_token|.*_key)/ |