diff options
| author | Rémy Coutable <remy@gitlab.com> | 2016-10-05 09:30:10 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-10-11 14:04:12 +0200 |
| commit | 6e1c1d953f3745f6f2c9261e12b5cd46efe69c66 (patch) | |
| tree | 0675900716498dda0edc40c9b6cd01df1a5ed1a4 | |
| parent | 4d4c4687af157ada8bbfbc51d764f4414cc45452 (diff) | |
| download | gitlab-ce-6e1c1d953f3745f6f2c9261e12b5cd46efe69c66.tar.gz | |
Merge branch 'raven-headers' into 'security'
Don't send Private-Token headers to Sentry
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537
This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to
version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP
headers.
See merge request !2004
Signed-off-by: Rémy Coutable <remy@rymai.me>
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 6 | ||||
| -rw-r--r-- | config/application.rb | 2 | ||||
| -rw-r--r-- | config/initializers/sentry.rb | 4 |
5 files changed, 12 insertions, 5 deletions
diff --git a/CHANGELOG b/CHANGELOG index 9402018cb19..7b157d61411 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ Please view this file on the master branch, on stable branches it's out of date. +v 8.10.12 + - Don't send Private-Token (API authentication) headers to Sentry + v 8.10.11 - Respect the fork_project permission when forking projects - Set a restrictive CORS policy on the API for credentialed requests @@ -235,7 +235,7 @@ gem 'net-ssh', '~> 3.0.1' gem 'base32', '~> 0.3.0' # Sentry integration -gem 'sentry-raven', '~> 1.1.0' +gem 'sentry-raven', '~> 2.0.0' gem 'premailer-rails', '~> 1.9.0' diff --git a/Gemfile.lock b/Gemfile.lock index 43c2aa18084..02372882fef 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -650,8 +650,8 @@ GEM activesupport (>= 3.1) select2-rails (3.5.9.3) thor (~> 0.14) - sentry-raven (1.1.0) - faraday (>= 0.7.6) + sentry-raven (2.0.2) + faraday (>= 0.7.6, < 0.10.x) settingslogic (2.0.9) sexp_processor (4.7.0) sham_rack (1.3.6) @@ -946,7 +946,7 @@ DEPENDENCIES sdoc (~> 0.3.20) seed-fu (~> 2.3.5) select2-rails (~> 3.5.9) - sentry-raven (~> 1.1.0) + sentry-raven (~> 2.0.0) settingslogic (~> 2.0.9) sham_rack (~> 1.3.6) shoulda-matchers (~> 2.8.0) diff --git a/config/application.rb b/config/application.rb index 7975b2361fe..0c7395dff4a 100644 --- a/config/application.rb +++ b/config/application.rb @@ -50,6 +50,7 @@ module Gitlab # - Build variables (:variables) # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key) # - Webhook URLs (:hook) + # - GitLab-shell secret token (:secret_token) # - Sentry DSN (:sentry_dsn) # - Deploy keys (:key) config.filter_parameters += %i( @@ -62,6 +63,7 @@ module Gitlab password password_confirmation private_token + secret_token sentry_dsn variables ) diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb index 74fef7cadfe..b18acd0d769 100644 --- a/config/initializers/sentry.rb +++ b/config/initializers/sentry.rb @@ -15,9 +15,11 @@ if Rails.env.production? Raven.configure do |config| config.dsn = current_application_settings.sentry_dsn config.release = Gitlab::REVISION - + # Sanitize fields based on those sanitized from Rails. config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s) + # Sanitize authentication headers + config.sanitize_http_headers = %w[Authorization Private-Token] end end end |