Merge branch 'security-search-term-logged' into 'master'

Filter params[:search] to prevent leaks

See merge request gitlab-org/security/gitlab!1065

app/controllers/search_controller.rb

@@ -122,7 +122,6 @@ class SearchController < ApplicationController
     payload[:metadata] ||= {}
     payload[:metadata]['meta.search.group_id'] = params[:group_id]
     payload[:metadata]['meta.search.project_id'] = params[:project_id]
-    payload[:metadata]['meta.search.search'] = params[:search]
     payload[:metadata]['meta.search.scope'] = params[:scope]
     payload[:metadata]['meta.search.filters.confidential'] = params[:confidential]
     payload[:metadata]['meta.search.filters.state'] = params[:state]

changelogs/unreleased/security-search-term-logged.yml

+---
+title: Filter search parameter to prevent data leaks
+merge_request:
+author:
+type: security

config/application.rb

@@ -137,6 +137,7 @@ module Gitlab
       encrypted_key
       import_url
       elasticsearch_url
+      search
       otp_attempt
       sentry_dsn
       trace

spec/controllers/search_controller_spec.rb

@@ -272,7 +272,7 @@ RSpec.describe SearchController do
 
       expect(last_payload[:metadata]['meta.search.group_id']).to eq('123')
       expect(last_payload[:metadata]['meta.search.project_id']).to eq('456')
-      expect(last_payload[:metadata]['meta.search.search']).to eq('hello world')
+      expect(last_payload[:metadata]).not_to have_key('meta.search.search')
       expect(last_payload[:metadata]['meta.search.scope']).to eq('issues')
       expect(last_payload[:metadata]['meta.search.force_search_results']).to eq('true')
       expect(last_payload[:metadata]['meta.search.filters.confidential']).to eq('true')