From 9770c57fab0315865a33c8b6df269eded0d57b5c Mon Sep 17 00:00:00 2001
From: Brian Neel <brian@gitlab.com>
Date: Thu, 3 Aug 2017 22:20:34 -0400
Subject: Re-enable SqlInjection and CommandInjection

---
 config/application.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'config/application.rb')

diff --git a/config/application.rb b/config/application.rb
index 47887bf8596..f69dab4de39 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -176,7 +176,7 @@ module Gitlab
           next unless name.include?('namespace_project')
 
           define_method(name.sub('namespace_project', 'project')) do |project, *args|
-            send(name, project&.namespace, project, *args)
+            send(name, project&.namespace, project, *args) # rubocop:disable GitlabSecurity/PublicSend
           end
         end
       end
-- 
cgit v1.2.1


From d74fecac031df1c3b4e817f49f7bafe2b175be11 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Wed, 30 Aug 2017 21:14:29 -0700
Subject: Filter additional secrets from Rails logs

Upon inspection of logs, there were a number of fields not filtered. For example:

* authenticity_token: CSRF token
* rss_token: Used for RSS feeds
* secret: Used with Projects::UploadController

Rails provides a way to match regexps, so we now filter:

* Any parameter ending with `_token`
* Any parameter containing `password`
* Any parameter containing `secret`
---
 config/application.rb | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

(limited to 'config/application.rb')

diff --git a/config/application.rb b/config/application.rb
index f69dab4de39..32a290f2002 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -51,31 +51,24 @@ module Gitlab
     # Configure sensitive parameters which will be filtered from the log file.
     #
     # Parameters filtered:
-    # - Password (:password, :password_confirmation)
-    # - Private tokens
+    # - Any parameter ending with `_token`
+    # - Any parameter containing `password`
+    # - Any parameter containing `secret`
     # - Two-factor tokens (:otp_attempt)
     # - Repo/Project Import URLs (:import_url)
     # - Build variables (:variables)
     # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
     # - Webhook URLs (:hook)
-    # - GitLab-shell secret token (:secret_token)
     # - Sentry DSN (:sentry_dsn)
     # - Deploy keys (:key)
+    config.filter_parameters += [/_token$/, /password/, /secret/]
     config.filter_parameters += %i(
-      authentication_token
       certificate
       encrypted_key
       hook
       import_url
-      incoming_email_token
-      rss_token
       key
       otp_attempt
-      password
-      password_confirmation
-      private_token
-      runners_token
-      secret_token
       sentry_dsn
       variables
     )
-- 
cgit v1.2.1