Merge branch 'sh-sanitize-api-request-parameters' into 'master'

Sanitize request parameters in exceptions_json.log

Closes #202132

See merge request gitlab-org/gitlab!24625

changelogs/unreleased/sh-sanitize-api-request-parameters.yml

+---
+title: Sanitize request parameters in exceptions_json.log
+merge_request: 24625
+author:
+type: fixed

lib/gitlab/error_tracking.rb

@@ -97,6 +97,8 @@ module Gitlab
           extra = extra.merge(data) if data.is_a?(Hash)
         end
 
+        extra = sanitize_request_parameters(extra)
+
         if sentry && Raven.configuration.server
           Raven.capture_exception(exception, tags: default_tags, extra: extra)
         end
@@ -117,6 +119,11 @@ module Gitlab
         end
       end
 
+      def sanitize_request_parameters(parameters)
+        filter = ActiveSupport::ParameterFilter.new(::Rails.application.config.filter_parameters)
+        filter.filter(parameters)
+      end
+
       def sentry_dsn
         return unless Rails.env.production? || Rails.env.development?
         return unless Gitlab.config.sentry.enabled

spec/lib/gitlab/error_tracking_spec.rb

@@ -145,6 +145,17 @@ describe Gitlab::ErrorTracking do
       )
     end
 
+    context 'with filterable parameters' do
+      let(:extra) { { test: 1, my_token: 'test' } }
+
+      it 'filters parameters' do
+        expect(Gitlab::ErrorTracking::Logger).to receive(:error).with(
+          hash_including({ 'extra.test' => 1, 'extra.my_token' => '[FILTERED]' }))
+
+        described_class.track_exception(exception, extra)
+      end
+    end
+
     context 'the exception implements :sentry_extra_data' do
       let(:extra_info) { { event: 'explosion', size: :massive } }
       let(:exception) { double(message: 'bang!', sentry_extra_data: extra_info, backtrace: caller) }