Merge branch 'raven-headers' into 'security'

Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004

Merge branch 'raven-headers' into 'security'
Don't send Private-Token headers to Sentry Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537 This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP headers. See merge request !2004
3f57ea0c · Rémy Coutable · 5e4418b2 · 437bebb0 · 3f57ea0c · 3f57ea0c
Commit 3f57ea0c authored Oct 05, 2016 by Rémy Coutable
Showing with 9 additions and 4 deletions

CHANGELOG CHANGELOG +1 -0

Gemfile Gemfile +1 -1

Gemfile.lock Gemfile.lock +3 -3

config/application.rb config/application.rb +2 -0

config/initializers/sentry.rb config/initializers/sentry.rb +2 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@ v 8.13.0 (unreleased)
 v 8.12.4 (unreleased)
  - Set GitLab project exported file permissions to owner only
+  - Don't send Private-Token (API authentication) headers to Sentry
 v 8.12.2 (unreleased)
  - Fix Import/Export not recognising correctly the imported services.

--- a/Gemfile
+++ b/Gemfile
@@ -233,7 +233,7 @@ gem 'net-ssh',            '~> 3.0.1'
 gem 'base32',             '~> 0.3.0'
 # Sentry integration
-gem 'sentry-raven', '~> 1.1.0'
+gem 'sentry-raven', '~> 2.0.0'
 gem 'premailer-rails', '~> 1.9.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -664,8 +664,8 @@ GEM
      activesupport (>= 3.1)
    select2-rails (3.5.9.3)
      thor (~> 0.14)
-    sentry-raven (1.1.0)
+    sentry-raven (2.0.2)
-      faraday (>= 0.7.6)
+      faraday (>= 0.7.6, < 0.10.x)
    settingslogic (2.0.9)
    sexp_processor (4.7.0)
    sham_rack (1.3.6)
@@ -950,7 +950,7 @@ DEPENDENCIES
  sdoc (~> 0.3.20)
  seed-fu (~> 2.3.5)
  select2-rails (~> 3.5.9)
-  sentry-raven (~> 1.1.0)
+  sentry-raven (~> 2.0.0)
  settingslogic (~> 2.0.9)
  sham_rack (~> 1.3.6)
  shoulda-matchers (~> 2.8.0)

--- a/config/application.rb
+++ b/config/application.rb
@@ -50,6 +50,7 @@ module Gitlab
    # - Build variables (:variables)
    # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
    # - Webhook URLs (:hook)
+    # - GitLab-shell secret token (:secret_token)
    # - Sentry DSN (:sentry_dsn)
    # - Deploy keys (:key)
    config.filter_parameters += %i(
@@ -62,6 +63,7 @@ module Gitlab
      password
      password_confirmation
      private_token
+      secret_token
      sentry_dsn
      variables
    )

--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -18,6 +18,8 @@ if Rails.env.production?
      # Sanitize fields based on those sanitized from Rails.
      config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
+      # Sanitize authentication headers
+      config.sanitize_http_headers = %w[Authorization Private-Token]
      config.tags = { program: Gitlab::Sentry.program_context }
    end
  end