diff options
| author | Rémy Coutable <remy@gitlab.com> | 2016-10-05 09:30:10 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-10-11 13:58:45 +0200 |
| commit | eebf51eeec1170b0f30df6b46bfc265988aeec39 (patch) | |
| tree | acb0518ff0a391a4d8e9459e0f7430539d8f5d83 | |
| parent | 7d593a491f9329515d7f82e8a43972458a17d5ba (diff) | |
| download | gitlab-ce-eebf51eeec1170b0f30df6b46bfc265988aeec39.tar.gz | |
Merge branch 'raven-headers' into 'security'
Don't send Private-Token headers to Sentry
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537
This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to
version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP
headers.
See merge request !2004
Signed-off-by: Rémy Coutable <remy@rymai.me>
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 6 | ||||
| -rw-r--r-- | config/application.rb | 2 | ||||
| -rw-r--r-- | config/initializers/sentry.rb | 4 |
5 files changed, 12 insertions, 5 deletions
diff --git a/CHANGELOG b/CHANGELOG index ae6b9114a75..c9434902a83 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ Please view this file on the master branch, on stable branches it's out of date. +v 8.11.9 + - Don't send Private-Token (API authentication) headers to Sentry + v 8.11.8 - Respect the fork_project permission when forking projects - Set a restrictive CORS policy on the API for credentialed requests @@ -234,7 +234,7 @@ gem 'net-ssh', '~> 3.0.1' gem 'base32', '~> 0.3.0' # Sentry integration -gem 'sentry-raven', '~> 1.1.0' +gem 'sentry-raven', '~> 2.0.0' gem 'premailer-rails', '~> 1.9.0' diff --git a/Gemfile.lock b/Gemfile.lock index 8140dfa38c9..ae81a79a365 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -657,8 +657,8 @@ GEM activesupport (>= 3.1) select2-rails (3.5.9.3) thor (~> 0.14) - sentry-raven (1.1.0) - faraday (>= 0.7.6) + sentry-raven (2.0.2) + faraday (>= 0.7.6, < 0.10.x) settingslogic (2.0.9) sexp_processor (4.7.0) sham_rack (1.3.6) @@ -946,7 +946,7 @@ DEPENDENCIES sdoc (~> 0.3.20) seed-fu (~> 2.3.5) select2-rails (~> 3.5.9) - sentry-raven (~> 1.1.0) + sentry-raven (~> 2.0.0) settingslogic (~> 2.0.9) sham_rack (~> 1.3.6) shoulda-matchers (~> 2.8.0) diff --git a/config/application.rb b/config/application.rb index 1ebdb43d662..0ae92c67829 100644 --- a/config/application.rb +++ b/config/application.rb @@ -50,6 +50,7 @@ module Gitlab # - Build variables (:variables) # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key) # - Webhook URLs (:hook) + # - GitLab-shell secret token (:secret_token) # - Sentry DSN (:sentry_dsn) # - Deploy keys (:key) config.filter_parameters += %i( @@ -62,6 +63,7 @@ module Gitlab password password_confirmation private_token + secret_token sentry_dsn variables ) diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb index 74fef7cadfe..b18acd0d769 100644 --- a/config/initializers/sentry.rb +++ b/config/initializers/sentry.rb @@ -15,9 +15,11 @@ if Rails.env.production? Raven.configure do |config| config.dsn = current_application_settings.sentry_dsn config.release = Gitlab::REVISION - + # Sanitize fields based on those sanitized from Rails. config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s) + # Sanitize authentication headers + config.sanitize_http_headers = %w[Authorization Private-Token] end end end |