Commit 5e3f9ea1 authored by Yorick Peterse's avatar Yorick Peterse Committed by Robert Speicher

Merge branch 'secure-request-uris' into 'master'

Filter out sensitive parameters of metrics data

See merge request !4748
parent c73aeed9
......@@ -130,6 +130,7 @@ v 8.8.5 (unreleased)
- Set inverse_of for Project/Service association to reduce the number of queries
- Update tanuki logo highlight/loading colors
- Use Git cached counters for branches and tags on project page
- Filter parameters for request_uri value on instrumented transactions.
v 8.8.5
- Import GitHub repositories respecting the API rate limit !4166
......
......@@ -35,7 +35,7 @@ module Gitlab
def transaction_from_env(env)
trans = Transaction.new
trans.set(:request_uri, env['REQUEST_URI'])
trans.set(:request_uri, filtered_path(env))
trans.set(:request_method, env['REQUEST_METHOD'])
trans
......@@ -54,6 +54,10 @@ module Gitlab
private
def filtered_path(env)
ActionDispatch::Request.new(env).filtered_path.presence || env['REQUEST_URI']
end
def endpoint_paths_cache
@endpoint_paths_cache ||= Hash.new do |hash, http_method|
hash[http_method] = Hash.new do |inner_hash, raw_path|
......
......@@ -58,6 +58,22 @@ describe Gitlab::Metrics::RackMiddleware do
expect(transaction.values[:request_method]).to eq('GET')
expect(transaction.values[:request_uri]).to eq('/foo')
end
context "when URI includes sensitive parameters" do
let(:env) do
{
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/foo?private_token=my-token',
'PATH_INFO' => '/foo',
'QUERY_STRING' => 'private_token=my_token',
'action_dispatch.parameter_filter' => [:private_token]
}
end
it 'stores the request URI with the sensitive parameters filtered' do
expect(transaction.values[:request_uri]).to eq('/foo?private_token=[FILTERED]')
end
end
end
describe '#tag_controller' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment