Merge branch 'raven-headers' into 'security'

Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004 Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch 'raven-headers' into 'security'
Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004 Signed-off-by: Rémy Coutable <remy@rymai.me>
6e1c1d95 · Rémy Coutable · Rémy Coutable · 4d4c4687 · 6e1c1d95 · 6e1c1d95
Commit 6e1c1d95 authored Oct 05, 2016 by Rémy Coutable Committed by Rémy Coutable Oct 11, 2016
Showing with 12 additions and 5 deletions

CHANGELOG CHANGELOG +3 -0

Gemfile Gemfile +1 -1

Gemfile.lock Gemfile.lock +3 -3

config/application.rb config/application.rb +2 -0

config/initializers/sentry.rb config/initializers/sentry.rb +3 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.
+v 8.10.12
+  - Don't send Private-Token (API authentication) headers to Sentry
 v 8.10.11
  - Respect the fork_project permission when forking projects
  - Set a restrictive CORS policy on the API for credentialed requests

--- a/Gemfile
+++ b/Gemfile
@@ -235,7 +235,7 @@ gem 'net-ssh',            '~> 3.0.1'
 gem 'base32',             '~> 0.3.0'
 # Sentry integration
-gem 'sentry-raven', '~> 1.1.0'
+gem 'sentry-raven', '~> 2.0.0'
 gem 'premailer-rails', '~> 1.9.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -650,8 +650,8 @@ GEM
      activesupport (>= 3.1)
    select2-rails (3.5.9.3)
      thor (~> 0.14)
-    sentry-raven (1.1.0)
+    sentry-raven (2.0.2)
-      faraday (>= 0.7.6)
+      faraday (>= 0.7.6, < 0.10.x)
    settingslogic (2.0.9)
    sexp_processor (4.7.0)
    sham_rack (1.3.6)
@@ -946,7 +946,7 @@ DEPENDENCIES
  sdoc (~> 0.3.20)
  seed-fu (~> 2.3.5)
  select2-rails (~> 3.5.9)
-  sentry-raven (~> 1.1.0)
+  sentry-raven (~> 2.0.0)
  settingslogic (~> 2.0.9)
  sham_rack (~> 1.3.6)
  shoulda-matchers (~> 2.8.0)

--- a/config/application.rb
+++ b/config/application.rb
@@ -50,6 +50,7 @@ module Gitlab
    # - Build variables (:variables)
    # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
    # - Webhook URLs (:hook)
+    # - GitLab-shell secret token (:secret_token)
    # - Sentry DSN (:sentry_dsn)
    # - Deploy keys (:key)
    config.filter_parameters += %i(
@@ -62,6 +63,7 @@ module Gitlab
      password
      password_confirmation
      private_token
+      secret_token
      sentry_dsn
      variables
    )

--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -15,9 +15,11 @@ if Rails.env.production?
    Raven.configure do |config|
      config.dsn = current_application_settings.sentry_dsn
      config.release = Gitlab::REVISION
      # Sanitize fields based on those sanitized from Rails.
      config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
+      # Sanitize authentication headers
+      config.sanitize_http_headers = %w[Authorization Private-Token]
    end
  end
 end