diff options
Diffstat (limited to 'spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb')
-rw-r--r-- | spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb new file mode 100644 index 00000000000..9673bfc5cd3 --- /dev/null +++ b/spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb @@ -0,0 +1,114 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::ErrorTracking::Processor::SanitizerProcessor, :sentry do + describe '.call' do + let(:event) { Sentry.get_current_client.event_from_exception(exception) } + let(:result_hash) { described_class.call(event).to_hash } + + before do + data.each do |key, value| + event.send("#{key}=", value) + end + end + + after do + Sentry.get_current_scope.clear + end + + context 'when event attributes contains sensitive information' do + let(:exception) { RuntimeError.new } + let(:data) do + { + contexts: { + jwt: 'abcdef', + controller: 'GraphController#execute' + }, + tags: { + variables: %w[some sensitive information'], + deep_hash: { + sharedSecret: 'secret123' + } + }, + user: { + email: 'a@a.com', + password: 'nobodyknows' + }, + extra: { + issue_url: 'http://gitlab.com/gitlab-org/gitlab-foss/-/issues/1', + my_token: '[FILTERED]', + another_token: '[FILTERED]' + } + } + end + + it 'filters sensitive attributes' do + expect_next_instance_of(ActiveSupport::ParameterFilter) do |instance| + expect(instance).to receive(:filter).exactly(4).times.and_call_original + end + + expect(result_hash).to include( + contexts: { + jwt: '[FILTERED]', + controller: 'GraphController#execute' + }, + tags: { + variables: '[FILTERED]', + deep_hash: { + sharedSecret: '[FILTERED]' + } + }, + user: { + email: 'a@a.com', + password: '[FILTERED]' + }, + extra: { + issue_url: 'http://gitlab.com/gitlab-org/gitlab-foss/-/issues/1', + my_token: '[FILTERED]', + another_token: '[FILTERED]' + } + ) + end + end + + context 'when request contains sensitive information' do + let(:exception) { RuntimeError.new } + let(:data) { {} } + + before do + event.rack_env = { + 'HTTP_AUTHORIZATION' => 'Bearer 123456', + 'HTTP_PRIVATE_TOKEN' => 'abcdef', + 'HTTP_JOB_TOKEN' => 'secret123', + 'HTTP_GITLAB_WORKHORSE_PROXY_START' => 123456, + 'HTTP_COOKIE' => 'yummy_cookie=choco; tasty_cookie=strawberry', + 'QUERY_STRING' => 'token=secret&access_token=secret&job_token=secret&private_token=secret', + 'Content-Type' => 'application/json', + 'rack.input' => StringIO.new('{"name":"new_project", "some_token":"value"}') + } + end + + it 'filters sensitive headers' do + expect(result_hash[:request][:headers]).to include( + 'Authorization' => '[FILTERED]', + 'Private-Token' => '[FILTERED]', + 'Job-Token' => '[FILTERED]', + 'Gitlab-Workhorse-Proxy-Start' => '123456' + ) + end + + it 'filters query string parameters' do + expect(result_hash[:request][:query_string]).not_to include('secret') + end + + it 'removes cookies' do + expect(result_hash[:request][:cookies]).to be_empty + end + + it 'removes data' do + expect(result_hash[:request][:data]).to be_empty + end + end + end +end |