Commit 05d5504d authored by Drew Blessing's avatar Drew Blessing

Sanitize LDAP output in Rake tasks

The various LDAP check Rake tasks have long supported a SANITIZE
environment variable. When present, identifiable information is
obscured such as user names and project/group names. Until now,
the LDAP check did not honor this. Now it will only say how many
users were found. This should at least give the indication that
the LDAP configuration found something, but will not leak what
it is. Resolves #56131
parent c10bde1f
---
title: Sanitize LDAP output in Rake tasks
merge_request: 28427
author:
type: fixed
......@@ -33,10 +33,15 @@ module SystemCheck
$stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)"
users = adapter.users(adapter.config.uid, '*', limit)
if should_sanitize?
$stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit."
else
users.each do |user|
$stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
end
end
end
rescue Net::LDAP::ConnectionRefusedError, Errno::ECONNREFUSED => e
$stdout.puts "Could not connect to the LDAP server: #{e.message}".color(:red)
end
......
......@@ -96,6 +96,15 @@ describe 'check.rake' do
subject
end
it 'sanitizes output' do
user = double(dn: 'uid=fake_user1', uid: 'fake_user1')
allow(adapter).to receive(:users).and_return([user])
stub_env('SANITIZE', 'true')
expect { subject }.to output(/User output sanitized/).to_stdout
expect { subject }.not_to output('fake_user1').to_stdout
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment