Merge branch 'raven-headers' into 'security'

Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004 Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch 'raven-headers' into 'security'
Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004 Signed-off-by: Rémy Coutable <remy@rymai.me>
c158f6e1 · Rémy Coutable · Rémy Coutable · 97d1ef03 · c158f6e1 · c158f6e1
Commit c158f6e1 authored Oct 05, 2016 by Rémy Coutable Committed by Rémy Coutable Oct 11, 2016
Showing with 9 additions and 4 deletions

CHANGELOG CHANGELOG +1 -0

Gemfile Gemfile +1 -1

Gemfile.lock Gemfile.lock +3 -3

config/application.rb config/application.rb +2 -0

config/initializers/sentry.rb config/initializers/sentry.rb +2 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@ v 8.12.5
  - Update the mail_room gem to 0.8.1 to fix a race condition with the mailbox watching thread. !6714
  - Improve issue load time performance by avoiding ORDER BY in find_by call. !6724
  - Add a new gitlab:users:clear_all_authentication_tokens task. !6745
+  - Don't send Private-Token (API authentication) headers to Sentry

 v 8.12.4
  - Fix "Copy to clipboard" tooltip to say "Copied!" when clipboard button is clicked. !6294 (lukehowell)

--- a/Gemfile
+++ b/Gemfile
@@ -234,7 +234,7 @@ gem 'net-ssh',            '~> 3.0.1'
 gem 'base32',             '~> 0.3.0'

 # Sentry integration
-gem 'sentry-raven', '~> 1.1.0'
+gem 'sentry-raven', '~> 2.0.0'

 gem 'premailer-rails', '~> 1.9.0'


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -665,8 +665,8 @@ GEM
      activesupport (>= 3.1)
    select2-rails (3.5.9.3)
      thor (~> 0.14)
-    sentry-raven (1.1.0)
-      faraday (>= 0.7.6)
+    sentry-raven (2.0.2)
+      faraday (>= 0.7.6, < 0.10.x)
    settingslogic (2.0.9)
    sexp_processor (4.7.0)
    sham_rack (1.3.6)
@@ -956,7 +956,7 @@ DEPENDENCIES
  sdoc (~> 0.3.20)
  seed-fu (~> 2.3.5)
  select2-rails (~> 3.5.9)
-  sentry-raven (~> 1.1.0)
+  sentry-raven (~> 2.0.0)
  settingslogic (~> 2.0.9)
  sham_rack (~> 1.3.6)
  shoulda-matchers (~> 2.8.0)

--- a/config/application.rb
+++ b/config/application.rb
@@ -50,6 +50,7 @@ module Gitlab
    # - Build variables (:variables)
    # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
    # - Webhook URLs (:hook)
+    # - GitLab-shell secret token (:secret_token)
    # - Sentry DSN (:sentry_dsn)
    # - Deploy keys (:key)
    config.filter_parameters += %i(
@@ -62,6 +63,7 @@ module Gitlab
      password
      password_confirmation
      private_token
+      secret_token
      sentry_dsn
      variables
    )

--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -18,6 +18,8 @@ if Rails.env.production?
      
      # Sanitize fields based on those sanitized from Rails.
      config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
+      # Sanitize authentication headers
+      config.sanitize_http_headers = %w[Authorization Private-Token]
      config.tags = { program: Gitlab::Sentry.program_context }
    end
  end