Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9b95e36d
Commit
9b95e36d
authored
Oct 29, 2019
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'security-mask-sentry-token' into 'master'
Mask sentry auth token See merge request gitlab/gitlab-ee!1360
parents
fecfeccd
8f5116da
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
51 additions
and
4 deletions
+51
-4
app/services/error_tracking/list_projects_service.rb
app/services/error_tracking/list_projects_service.rb
+8
-1
app/services/projects/operations/update_service.rb
app/services/projects/operations/update_service.rb
+4
-2
app/views/projects/settings/operations/_error_tracking.html.haml
...ws/projects/settings/operations/_error_tracking.html.haml
+1
-1
changelogs/unreleased/security-mask-sentry-token-ce.yml
changelogs/unreleased/security-mask-sentry-token-ce.yml
+4
-0
spec/services/error_tracking/list_projects_service_spec.rb
spec/services/error_tracking/list_projects_service_spec.rb
+13
-0
spec/services/projects/operations/update_service_spec.rb
spec/services/projects/operations/update_service_spec.rb
+21
-0
No files found.
app/services/error_tracking/list_projects_service.rb
View file @
9b95e36d
...
...
@@ -32,7 +32,7 @@ module ErrorTracking
project_slug:
'proj'
)
setting
.
token
=
params
[
:token
]
setting
.
token
=
token
(
setting
)
setting
.
enabled
=
true
end
end
...
...
@@ -40,5 +40,12 @@ module ErrorTracking
def
can_read?
can?
(
current_user
,
:read_sentry_issue
,
project
)
end
def
token
(
setting
)
# Use param token if not masked, otherwise use database token
return
params
[
:token
]
unless
/\A\*+\z/
.
match?
(
params
[
:token
])
setting
.
token
end
end
end
app/services/projects/operations/update_service.rb
View file @
9b95e36d
...
...
@@ -36,15 +36,17 @@ module Projects
organization_slug:
settings
.
dig
(
:project
,
:organization_slug
)
)
{
params
=
{
error_tracking_setting_attributes:
{
api_url:
api_url
,
token:
settings
[
:token
],
enabled:
settings
[
:enabled
],
project_name:
settings
.
dig
(
:project
,
:name
),
organization_name:
settings
.
dig
(
:project
,
:organization_name
)
}
}
params
[
:error_tracking_setting_attributes
][
:token
]
=
settings
[
:token
]
unless
/\A\*+\z/
.
match?
(
settings
[
:token
])
# Don't update token if we receive masked value
params
end
def
grafana_integration_params
...
...
app/views/projects/settings/operations/_error_tracking.html.haml
View file @
9b95e36d
...
...
@@ -17,4 +17,4 @@
project:
error_tracking_setting_project_json
,
api_host:
setting
.
api_host
,
enabled:
setting
.
enabled
.
to_json
,
token:
setting
.
token
}
}
token:
setting
.
token
.
present?
?
'*'
*
12
:
nil
}
}
changelogs/unreleased/security-mask-sentry-token-ce.yml
0 → 100644
View file @
9b95e36d
---
title
:
Mask sentry auth token in Error Tracking dashboard
author
:
type
:
security
spec/services/error_tracking/list_projects_service_spec.rb
View file @
9b95e36d
...
...
@@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do
end
end
context
'masked param token'
do
let
(
:params
)
{
ActionController
::
Parameters
.
new
(
token:
"*********"
,
api_host:
new_api_host
)
}
before
do
expect
(
error_tracking_setting
).
to
receive
(
:list_sentry_projects
)
.
and_return
({
projects:
[]
})
end
it
'uses database token'
do
expect
{
subject
.
execute
}.
not_to
change
{
error_tracking_setting
.
token
}
end
end
context
'sentry client raises exception'
do
context
'Sentry::Client::Error'
do
before
do
...
...
spec/services/projects/operations/update_service_spec.rb
View file @
9b95e36d
...
...
@@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do
end
end
context
'with masked param token'
do
let
(
:params
)
do
{
error_tracking_setting_attributes:
{
enabled:
false
,
token:
'*'
*
8
}
}
end
before
do
create
(
:project_error_tracking_setting
,
project:
project
,
token:
'token'
)
end
it
'does not update token'
do
expect
(
result
[
:status
]).
to
eq
(
:success
)
expect
(
project
.
error_tracking_setting
.
token
).
to
eq
(
'token'
)
end
end
context
'with invalid parameters'
do
let
(
:params
)
{
{}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment