Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

4 files changed, 171 insertions, 0 deletions

diff --git a/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
new file mode 100644
index 00000000000..5ec73233e77
--- /dev/null
+++ b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::ErrorTracking::Processor::SanitizeErrorMessageProcessor, :sentry do
+  describe '.call' do
+    let(:exception) { StandardError.new('raw error') }
+    let(:result_hash) { described_class.call(event).to_hash }
+
+    shared_examples 'processes the exception' do
+      it 'cleans the exception message' do
+        expect(Gitlab::Sanitizers::ExceptionMessage).to receive(:clean).with('StandardError', 'raw error').and_return('cleaned')
+
+        expect(result_hash[:exception][:values].first).to include(
+          type: 'StandardError',
+          value: 'cleaned'
+        )
+      end
+    end
+
+    context 'with Raven event' do
+      let(:raven_required_options) do
+        {
+          configuration: Raven.configuration,
+          context: Raven.context,
+          breadcrumbs: Raven.breadcrumbs
+        }
+      end
+
+      let(:event) { Raven::Event.from_exception(exception, raven_required_options) }
+
+      it_behaves_like 'processes the exception'
+    end
+
+    context 'with Sentry event' do
+      let(:event) { Sentry.get_current_client.event_from_exception(exception) }
+
+      it_behaves_like 'processes the exception'
+    end
+
+    context 'with invalid event' do
+      let(:event) { instance_double('Sentry::Event', to_hash: { invalid: true }) }
+
+      it 'does nothing' do
+        extracted_exception = instance_double('Sentry::SingleExceptionInterface', value: nil)
+        allow(described_class).to receive(:extract_exceptions_from).and_return([extracted_exception])
+
+        expect(Gitlab::Sanitizers::ExceptionMessage).not_to receive(:clean)
+        expect(result_hash).to eq(invalid: true)
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/error_tracking_spec.rb b/spec/lib/gitlab/error_tracking_spec.rb
index 936954fc1b6..1ade3a51c55 100644
--- a/spec/lib/gitlab/error_tracking_spec.rb
+++ b/spec/lib/gitlab/error_tracking_spec.rb
@@ -368,5 +368,61 @@ RSpec.describe Gitlab::ErrorTracking do
         end
       end
     end
+
+    context 'when processing invalid URI exceptions' do
+      let(:invalid_uri) { 'http://foo:bar' }
+      let(:raven_exception_values) { raven_event['exception']['values'] }
+      let(:sentry_exception_values) { sentry_event.exception.to_hash[:values] }
+
+      context 'when the error is a URI::InvalidURIError' do
+        let(:exception) do
+          URI.parse(invalid_uri)
+        rescue URI::InvalidURIError => error
+          error
+        end
+
+        it 'filters the URI from the error message' do
+          track_exception
+
+          expect(raven_exception_values).to include(
+            hash_including(
+              'type' => 'URI::InvalidURIError',
+              'value' => 'bad URI(is not URI?): [FILTERED]'
+            )
+          )
+          expect(sentry_exception_values).to include(
+            hash_including(
+              type: 'URI::InvalidURIError',
+              value: 'bad URI(is not URI?): [FILTERED]'
+            )
+          )
+        end
+      end
+
+      context 'when the error is a Addressable::URI::InvalidURIError' do
+        let(:exception) do
+          Addressable::URI.parse(invalid_uri)
+        rescue Addressable::URI::InvalidURIError => error
+          error
+        end
+
+        it 'filters the URI from the error message' do
+          track_exception
+
+          expect(raven_exception_values).to include(
+            hash_including(
+              'type' => 'Addressable::URI::InvalidURIError',
+              'value' => 'Invalid port number: [FILTERED]'
+            )
+          )
+          expect(sentry_exception_values).to include(
+            hash_including(
+              type: 'Addressable::URI::InvalidURIError',
+              value: 'Invalid port number: [FILTERED]'
+            )
+          )
+        end
+      end
+    end
   end
 end
diff --git a/spec/lib/gitlab/exception_log_formatter_spec.rb b/spec/lib/gitlab/exception_log_formatter_spec.rb
index beeeeb2b64c..7dda56f0bf5 100644
--- a/spec/lib/gitlab/exception_log_formatter_spec.rb
+++ b/spec/lib/gitlab/exception_log_formatter_spec.rb
@@ -22,6 +22,14 @@ RSpec.describe Gitlab::ExceptionLogFormatter do
       expect(payload['exception.sql']).to be_nil
     end
 
+    it 'cleans the exception message' do
+      expect(Gitlab::Sanitizers::ExceptionMessage).to receive(:clean).with('RuntimeError', 'bad request').and_return('cleaned')
+
+      described_class.format!(exception, payload)
+
+      expect(payload['exception.message']).to eq('cleaned')
+    end
+
     context 'when exception is ActiveRecord::StatementInvalid' do
       let(:exception) { ActiveRecord::StatementInvalid.new(sql: 'SELECT "users".* FROM "users" WHERE "users"."id" = 1 AND "users"."foo" = $1') }
 
diff --git a/spec/lib/gitlab/sanitizers/exception_message_spec.rb b/spec/lib/gitlab/sanitizers/exception_message_spec.rb
new file mode 100644
index 00000000000..8b54b353235
--- /dev/null
+++ b/spec/lib/gitlab/sanitizers/exception_message_spec.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rspec-parameterized'
+
+RSpec.describe Gitlab::Sanitizers::ExceptionMessage do
+  describe '.clean' do
+    let(:exception_name) { exception.class.name }
+    let(:exception_message) { exception.message }
+
+    subject { described_class.clean(exception_name, exception_message) }
+
+    context 'when error is a URI::InvalidURIError' do
+      let(:exception) do
+        URI.parse('http://foo:bar')
+      rescue URI::InvalidURIError => error
+        error
+      end
+
+      it { is_expected.to eq('bad URI(is not URI?): [FILTERED]') }
+    end
+
+    context 'when error is an Addressable::URI::InvalidURIError' do
+      using RSpec::Parameterized::TableSyntax
+
+      let(:exception) do
+        Addressable::URI.parse(uri)
+      rescue Addressable::URI::InvalidURIError => error
+        error
+      end
+
+      where(:uri, :result) do
+        'http://foo:bar' | 'Invalid port number: [FILTERED]'
+        'http://foo:%eb' | 'Invalid encoding in port'
+        'ht%0atp://foo'  | 'Invalid scheme format: [FILTERED]'
+        'http:'          | 'Absolute URI missing hierarchical segment: [FILTERED]'
+        '::http'         | 'Cannot assemble URI string with ambiguous path: [FILTERED]'
+        'http://foo bar' | 'Invalid character in host: [FILTERED]'
+      end
+
+      with_them do
+        it { is_expected.to eq(result) }
+      end
+    end
+
+    context 'with any other exception' do
+      let(:exception) { StandardError.new('Error message: http://foo@bar:baz@ex:ample.com') }
+
+      it 'is not invoked and does nothing' do
+        is_expected.to eq('Error message: http://foo@bar:baz@ex:ample.com')
+      end
+    end
+  end
+end