Commit 59584a7e authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-search-term-logged' into 'master'

Filter params[:search] to prevent leaks

See merge request gitlab-org/security/gitlab!1065
parents 673ff06e 936ae5b2
...@@ -122,7 +122,6 @@ class SearchController < ApplicationController ...@@ -122,7 +122,6 @@ class SearchController < ApplicationController
payload[:metadata] ||= {} payload[:metadata] ||= {}
payload[:metadata]['meta.search.group_id'] = params[:group_id] payload[:metadata]['meta.search.group_id'] = params[:group_id]
payload[:metadata]['meta.search.project_id'] = params[:project_id] payload[:metadata]['meta.search.project_id'] = params[:project_id]
payload[:metadata]['meta.search.search'] = params[:search]
payload[:metadata]['meta.search.scope'] = params[:scope] payload[:metadata]['meta.search.scope'] = params[:scope]
payload[:metadata]['meta.search.filters.confidential'] = params[:confidential] payload[:metadata]['meta.search.filters.confidential'] = params[:confidential]
payload[:metadata]['meta.search.filters.state'] = params[:state] payload[:metadata]['meta.search.filters.state'] = params[:state]
......
---
title: Filter search parameter to prevent data leaks
merge_request:
author:
type: security
...@@ -137,6 +137,7 @@ module Gitlab ...@@ -137,6 +137,7 @@ module Gitlab
encrypted_key encrypted_key
import_url import_url
elasticsearch_url elasticsearch_url
search
otp_attempt otp_attempt
sentry_dsn sentry_dsn
trace trace
......
...@@ -272,7 +272,7 @@ RSpec.describe SearchController do ...@@ -272,7 +272,7 @@ RSpec.describe SearchController do
expect(last_payload[:metadata]['meta.search.group_id']).to eq('123') expect(last_payload[:metadata]['meta.search.group_id']).to eq('123')
expect(last_payload[:metadata]['meta.search.project_id']).to eq('456') expect(last_payload[:metadata]['meta.search.project_id']).to eq('456')
expect(last_payload[:metadata]['meta.search.search']).to eq('hello world') expect(last_payload[:metadata]).not_to have_key('meta.search.search')
expect(last_payload[:metadata]['meta.search.scope']).to eq('issues') expect(last_payload[:metadata]['meta.search.scope']).to eq('issues')
expect(last_payload[:metadata]['meta.search.force_search_results']).to eq('true') expect(last_payload[:metadata]['meta.search.force_search_results']).to eq('true')
expect(last_payload[:metadata]['meta.search.filters.confidential']).to eq('true') expect(last_payload[:metadata]['meta.search.filters.confidential']).to eq('true')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment