Strip out any HTML tags in Geo response and upon failure omit full response text

Closes #2786

Strip out any HTML tags in Geo response and upon failure omit full response text
Closes #2786
01355138 · Stan Hu · 8ee10e25 · 01355138 · 01355138
Commit 01355138 authored Jun 30, 2017 by Stan Hu
Showing with 22 additions and 4 deletions

app/services/geo/node_status_service.rb app/services/geo/node_status_service.rb +8 -2

spec/services/geo/node_status_service_spec.rb spec/services/geo/node_status_service_spec.rb +14 -2

No files found.
--- a/app/services/geo/node_status_service.rb
+++ b/app/services/geo/node_status_service.rb
 module Geo
  class NodeStatusService
+    include ActionView::Helpers::SanitizeHelper
    include Gitlab::CurrentSettings
    include HTTParty

@@ -28,10 +29,11 @@ module Geo
              if payload.is_a?(Hash)
                payload['message']
              else
-                payload
+                ''
              end

-            Array([message, details].compact.join("\n"))
+            summary = [message, details].compact.join("\n")
+            [sanitize(summary)]
          end
        rescue HTTParty::Error, Timeout::Error, SocketError, Errno::ECONNRESET, Errno::ECONNREFUSED => e
          [e.message]
@@ -42,6 +44,10 @@ module Geo

    private

+    def sanitize(message)
+      ActionView::Base.full_sanitizer.sanitize(message)
+    end
+
    def headers
      Gitlab::Geo::BaseRequest.new.headers
    end

--- a/spec/services/geo/node_status_service_spec.rb
+++ b/spec/services/geo/node_status_service_spec.rb
@@ -11,11 +11,11 @@ describe Geo::NodeStatusService, services: true do
  end

  describe '#call' do
-    it 'parses a 401 response' do
+    it 'strips tags from a 401 response' do
      request = double(success?: false,
                       code: 401,
                       message: 'Unauthorized',
-                       parsed_response: { 'message' => 'Test' } )
+                       parsed_response: { 'message' => '<html><h1>Test</h1></html>' } )
      allow(described_class).to receive(:get).and_return(request)

      status = subject.call(secondary)
@@ -39,5 +39,17 @@ describe Geo::NodeStatusService, services: true do

      expect(status).to have_attributes(data)
    end
+
+    it 'omits full response text in status' do
+      request = double(success?: false,
+                       code: 401,
+                       message: 'Unauthorized',
+                       parsed_response: '<html><h1>You are not allowed</h1></html>')
+      allow(described_class).to receive(:get).and_return(request)
+
+      status = subject.call(secondary)
+
+      expect(status.health).to eq("Could not connect to Geo node - HTTP Status Code: 401 Unauthorized\n")
+    end
  end
 end