diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | lib/gitlab/metrics/rack_middleware.rb | 6 | ||||
| -rw-r--r-- | spec/lib/gitlab/metrics/rack_middleware_spec.rb | 16 |
3 files changed, 22 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index 148ec575f84..620a7eea378 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -122,6 +122,7 @@ v 8.9.0 (unreleased) - Set inverse_of for Project/Service association to reduce the number of queries - Update tanuki logo highlight/loading colors - Use Git cached counters for branches and tags on project page + - Filter parameters for request_uri value on instrumented transactions. v 8.8.5 - Import GitHub repositories respecting the API rate limit !4166 diff --git a/lib/gitlab/metrics/rack_middleware.rb b/lib/gitlab/metrics/rack_middleware.rb index 3fe27779d03..e61670f491c 100644 --- a/lib/gitlab/metrics/rack_middleware.rb +++ b/lib/gitlab/metrics/rack_middleware.rb @@ -35,7 +35,7 @@ module Gitlab def transaction_from_env(env) trans = Transaction.new - trans.set(:request_uri, env['REQUEST_URI']) + trans.set(:request_uri, filtered_path(env)) trans.set(:request_method, env['REQUEST_METHOD']) trans @@ -54,6 +54,10 @@ module Gitlab private + def filtered_path(env) + ActionDispatch::Request.new(env).filtered_path.presence || env['REQUEST_URI'] + end + def endpoint_paths_cache @endpoint_paths_cache ||= Hash.new do |hash, http_method| hash[http_method] = Hash.new do |inner_hash, raw_path| diff --git a/spec/lib/gitlab/metrics/rack_middleware_spec.rb b/spec/lib/gitlab/metrics/rack_middleware_spec.rb index 40289f8b972..f264ed64029 100644 --- a/spec/lib/gitlab/metrics/rack_middleware_spec.rb +++ b/spec/lib/gitlab/metrics/rack_middleware_spec.rb @@ -58,6 +58,22 @@ describe Gitlab::Metrics::RackMiddleware do expect(transaction.values[:request_method]).to eq('GET') expect(transaction.values[:request_uri]).to eq('/foo') end + + context "when URI includes sensitive parameters" do + let(:env) do + { + 'REQUEST_METHOD' => 'GET', + 'REQUEST_URI' => '/foo?private_token=my-token', + 'PATH_INFO' => '/foo', + 'QUERY_STRING' => 'private_token=my_token', + 'action_dispatch.parameter_filter' => [:private_token] + } + end + + it 'stores the request URI with the sensitive parameters filtered' do + expect(transaction.values[:request_uri]).to eq('/foo?private_token=[FILTERED]') + end + end end describe '#tag_controller' do |