Merge branch 'security-182-update-workhorse' into 'master'

[Master] Redact sensitive information on gitlab-workhorse log See merge request gitlab/gitlabhq!2584

Merge branch 'security-182-update-workhorse' into 'master'
[Master] Redact sensitive information on gitlab-workhorse log See merge request gitlab/gitlabhq!2584
3881285c · Cindy Pallares · 335434ca · 3881285c · 3881285c
Commit 3881285c authored Nov 28, 2018 by Cindy Pallares
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

changelogs/unreleased/security-182-update-workhorse.yml changelogs/unreleased/security-182-update-workhorse.yml +5 -0

config/application.rb config/application.rb +3 -0

No files found.
--- a/changelogs/unreleased/security-182-update-workhorse.yml
+++ b/changelogs/unreleased/security-182-update-workhorse.yml
+---
+title: Redact sensitive information on gitlab-workhorse log
+merge_request:
+author:
+type: security
--- a/config/application.rb
+++ b/config/application.rb
@@ -103,6 +103,9 @@ module Gitlab
    # - Webhook URLs (:hook)
    # - Sentry DSN (:sentry_dsn)
    # - File content from Web Editor (:content)
+    #
+    # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
+    #       introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
    config.filter_parameters += [/token$/, /password/, /secret/, /key$/]
    config.filter_parameters += %i(
      certificate