diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:02:03 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:02:03 +0000 |
| commit | 7d028ae6a925c50033b14ada8495a244305e6df0 (patch) | |
| tree | a30d3b8b6983c017a0108c0420dd8ba717928ffe /app | |
| parent | 96d91c7885ec9cbaadf7f6ebd095f6e2b77941aa (diff) | |
| parent | cc9a30c758d5fc6aeed79ff15ba402a88604cd49 (diff) | |
| download | gitlab-ce-7d028ae6a925c50033b14ada8495a244305e6df0.tar.gz | |
Merge branch 'security-2943-encrypt-plaintext-tokens-12-5' into '12-5-stable'
GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext
See merge request gitlab/gitlabhq!3543
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/application_setting.rb | 40 |
1 files changed, 18 insertions, 22 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 4028d711fd1..72605af433f 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -313,29 +313,25 @@ class ApplicationSetting < ApplicationRecord algorithm: 'aes-256-cbc', insecure_mode: true - attr_encrypted :external_auth_client_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true - - attr_encrypted :external_auth_client_key_pass, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true - - attr_encrypted :lets_encrypt_private_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true + private_class_method def self.encryption_options_base_truncated_aes_256_gcm + { + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_truncated, + algorithm: 'aes-256-gcm', + encode: true + } + end - attr_encrypted :eks_secret_access_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true + attr_encrypted :external_auth_client_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :external_auth_client_key_pass, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :lets_encrypt_private_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :eks_secret_access_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm before_validation :ensure_uuid! |