Sanitize request parameters in exceptions_json.log

If an exception occurred from the API, some parameters from the request may be stored unfiltered in `exceptions_json.log`. We now use our internal parameter filters to ensure they are cleaned before writing them to the logs. Closes https://gitlab.com/gitlab-org/gitlab/issues/202132

Sanitize request parameters in exceptions_json.log
If an exception occurred from the API, some parameters from the request may be stored unfiltered in `exceptions_json.log`. We now use our internal parameter filters to ensure they are cleaned before writing them to the logs. Closes https://gitlab.com/gitlab-org/gitlab/issues/202132
727a07c5 · Stan Hu · 7a0576c6 · 727a07c5 · 727a07c5 · 727a07c5
Commit 727a07c5 authored Feb 06, 2020 by Stan Hu
3 changed files
--- a/changelogs/unreleased/sh-sanitize-api-request-parameters.yml
+++ b/changelogs/unreleased/sh-sanitize-api-request-parameters.yml
+---
+title: Sanitize request parameters in exceptions_json.log
+merge_request: 24625
+author:
+type: fixed
--- a/lib/gitlab/error_tracking.rb
+++ b/lib/gitlab/error_tracking.rb
@@ -97,6 +97,8 @@ module Gitlab
          extra = extra.merge(data) if data.is_a?(Hash)
        end

+        extra = sanitize_request_parameters(extra)
+
        if sentry && Raven.configuration.server
          Raven.capture_exception(exception, tags: default_tags, extra: extra)
        end
@@ -117,6 +119,11 @@ module Gitlab
        end
      end

+      def sanitize_request_parameters(parameters)
+        filter = ActiveSupport::ParameterFilter.new(::Rails.application.config.filter_parameters)
+        filter.filter(parameters)
+      end
+
      def sentry_dsn
        return unless Rails.env.production? || Rails.env.development?
        return unless Gitlab.config.sentry.enabled

--- a/spec/lib/gitlab/error_tracking_spec.rb
+++ b/spec/lib/gitlab/error_tracking_spec.rb
@@ -145,6 +145,17 @@ describe Gitlab::ErrorTracking do
      )
    end

+    context 'with filterable parameters' do
+      let(:extra) { { test: 1, my_token: 'test' } }
+
+      it 'filters parameters' do
+        expect(Gitlab::ErrorTracking::Logger).to receive(:error).with(
+          hash_including({ 'extra.test' => 1, 'extra.my_token' => '[FILTERED]' }))
+
+        described_class.track_exception(exception, extra)
+      end
+    end
+
    context 'the exception implements :sentry_extra_data' do
      let(:extra_info) { { event: 'explosion', size: :massive } }
      let(:exception) { double(message: 'bang!', sentry_extra_data: extra_info, backtrace: caller) }