Merge branch 'rs-filter-params' into 'security'

Filter `authentication_token`, `incoming_email_token` and `runners_token` parameters

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676

See merge request !2045

Signed-off-by: Rémy Coutable <remy@rymai.me>

2 files changed, 5 insertions, 1 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 966860f5587..c9d73569b51 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 8.12.13
   - API: Memoize the current_user so that the sudo can work properly. !8017
   - Fix missing Note access checks in by moving Note#search to updated NoteFinder
+  - Filter `authentication_token`, `incoming_email_token` and `runners_token` parameters
 
 v 8.12.12
   - Replace MR access checks with use of MergeRequestsFinder
diff --git a/config/application.rb b/config/application.rb
index 0ae92c67829..8af176e9639 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -44,7 +44,7 @@ module Gitlab
     #
     # Parameters filtered:
     # - Password (:password, :password_confirmation)
-    # - Private tokens (:private_token)
+    # - Private tokens
     # - Two-factor tokens (:otp_attempt)
     # - Repo/Project Import URLs (:import_url)
     # - Build variables (:variables)
@@ -54,15 +54,18 @@ module Gitlab
     # - Sentry DSN (:sentry_dsn)
     # - Deploy keys (:key)
     config.filter_parameters += %i(
+      authentication_token
       certificate
       encrypted_key
       hook
       import_url
+      incoming_email_token
       key
       otp_attempt
       password
       password_confirmation
       private_token
+      runners_token
       secret_token
       sentry_dsn
       variables