Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:42:13 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:42:25 +0000
commit: 53c04c21144f90d66b5098f7396fcbcb3e7aa170 (patch)
tree: 61e6058d75a6afcb3457f8ca1dfb567fa3456ab4
parent: 279809e18f6949adb2543a45c0c800f549d35541 (diff)
download: gitlab-ce-53c04c21144f90d66b5098f7396fcbcb3e7aa170.tar.gz
4 files changed, 63 insertions, 0 deletions
diff --git a/config/initializers/lograge.rb b/config/initializers/lograge.rb
index e8479bc6aa4..61e357808d9 100644
--- a/config/initializers/lograge.rb
+++ b/config/initializers/lograge.rb
@@ -18,6 +18,7 @@ unless Gitlab::Runtime.sidekiq?
         data[:db_duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:db)) if data[:db]
         data[:view_duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:view)) if data[:view]
         data[:duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:duration)) if data[:duration]
+        data[:location] = Gitlab::Utils.removes_sensitive_data_from_url(data[:location]) if data[:location]
 
         # Remove empty hashes to prevent type mismatches
         # These are set to empty hashes in Lograge's ActionCable subscriber
diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb
index c1a57566640..98b3a77d09c 100644
--- a/lib/gitlab/utils.rb
+++ b/lib/gitlab/utils.rb
@@ -197,6 +197,24 @@ module Gitlab
     rescue Addressable::URI::InvalidURIError, TypeError
     end
 
+    def removes_sensitive_data_from_url(uri_string)
+      uri = parse_url(uri_string)
+
+      return unless uri
+      return uri_string unless uri.fragment
+
+      stripped_params = CGI.parse(uri.fragment)
+      if stripped_params['access_token']
+        stripped_params['access_token'] = 'filtered'
+        filtered_query = Addressable::URI.new
+        filtered_query.query_values = stripped_params
+
+        uri.fragment = filtered_query.query
+      end
+
+      uri.to_s
+    end
+
     # Invert a hash, collecting all keys that map to a given value in an array.
     #
     # Unlike `Hash#invert`, where the last encountered pair wins, and which has the
diff --git a/spec/initializers/lograge_spec.rb b/spec/initializers/lograge_spec.rb
index abb1673bb88..421f6373eff 100644
--- a/spec/initializers/lograge_spec.rb
+++ b/spec/initializers/lograge_spec.rb
@@ -173,6 +173,27 @@ RSpec.describe 'lograge', type: :request do
       end
     end
 
+    describe 'with access token in url' do
+      before do
+        event.payload[:location] = 'http://example.com/auth.html#access_token=secret_token&token_type=Bearer'
+      end
+
+      it 'strips location from sensitive information' do
+        subscriber.redirect_to(event)
+        subscriber.process_action(event)
+
+        expect(log_data['location']).not_to include('secret_token')
+        expect(log_data['location']).to include('filtered')
+      end
+
+      it 'leaves non-sensitive information from location' do
+        subscriber.redirect_to(event)
+        subscriber.process_action(event)
+
+        expect(log_data['location']).to include('&token_type=Bearer')
+      end
+    end
+
     context 'with db payload' do
       context 'when RequestStore is enabled', :request_store do
         it 'includes db counters' do
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb
index 11dba610faf..a7ccce0aaab 100644
--- a/spec/lib/gitlab/utils_spec.rb
+++ b/spec/lib/gitlab/utils_spec.rb
@@ -417,6 +417,29 @@ RSpec.describe Gitlab::Utils do
     end
   end
 
+  describe '.removes_sensitive_data_from_url' do
+    it 'returns string object' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com')).to be_instance_of(String)
+    end
+
+    it 'returns nil when URI cannot be parsed' do
+      expect(described_class.removes_sensitive_data_from_url('://gitlab.com')).to be nil
+    end
+
+    it 'returns nil with invalid parameter' do
+      expect(described_class.removes_sensitive_data_from_url(1)).to be nil
+    end
+
+    it 'returns string with filtered access_token param' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com/auth.html#access_token=secret_token')).to eq('http://gitlab.com/auth.html#access_token=filtered')
+    end
+
+    it 'returns string with filtered access_token param but other params preserved' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com/auth.html#access_token=secret_token&token_type=Bearer&state=test'))
+        .to include('&token_type=Bearer', '&state=test')
+    end
+  end
+
   describe 'multiple_key_invert' do
     it 'invert keys with array values' do
       hash = {
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:42:13 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:42:25 +0000
commit	53c04c21144f90d66b5098f7396fcbcb3e7aa170 (patch)
tree	61e6058d75a6afcb3457f8ca1dfb567fa3456ab4
parent	279809e18f6949adb2543a45c0c800f549d35541 (diff)
download	gitlab-ce-53c04c21144f90d66b5098f7396fcbcb3e7aa170.tar.gz