Merge branch...

Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3' Filter out sensitive fields from the project services API See merge request gitlab/gitlabhq!2281

Merge branch...
Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3' Filter out sensitive fields from the project services API See merge request gitlab/gitlabhq!2281
c167352d · Stan Hu · Oswaldo Ferreira · 1a8c8313 · c167352d · c167352d
Commit c167352d authored Jan 06, 2018 by Stan Hu Committed by Oswaldo Ferreira Jan 17, 2018
9 changed files
--- a/app/models/service.rb
+++ b/app/models/service.rb
@@ -118,6 +118,11 @@ class Service < ActiveRecord::Base
    nil
  end

+  def api_field_names
+    fields.map { |field| field[:name] }
+      .reject { |field_name| field_name =~ /(password|token|key)/ }
+  end
+
  def global_fields
    fields
  end

--- a/changelogs/unreleased/api-no-service-pw-output.yml
+++ b/changelogs/unreleased/api-no-service-pw-output.yml
+---
+title: Filter out sensitive fields from the project services API
+merge_request:
+author: Robert Schilling
+type: security
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -815,10 +815,7 @@ module API
      expose :job_events
      # Expose serialized properties
      expose :properties do |service, options|
-        field_names = service.fields
-          .select { |field| options[:include_passwords] || field[:type] != 'password' }
-          .map { |field| field[:name] }
-        service.properties.slice(*field_names)
+        service.properties.slice(*service.api_field_names)
      end
    end


--- a/lib/api/services.rb
+++ b/lib/api/services.rb
@@ -833,7 +833,7 @@ module API
          service_params = declared_params(include_missing: false).merge(active: true)

          if service.update_attributes(service_params)
-            present service, with: Entities::ProjectService, include_passwords: current_user.admin?
+            present service, with: Entities::ProjectService
          else
            render_api_error!('400 Bad Request', 400)
          end

--- a/lib/api/v3/entities.rb
+++ b/lib/api/v3/entities.rb
@@ -272,10 +272,7 @@ module API
        expose :job_events, as: :build_events
        # Expose serialized properties
        expose :properties do |service, options|
-          field_names = service.fields
-            .select { |field| options[:include_passwords] || field[:type] != 'password' }
-            .map { |field| field[:name] }
-          service.properties.slice(*field_names)
+          service.properties.slice(*service.api_field_names)
        end
      end


--- a/lib/api/v3/services.rb
+++ b/lib/api/v3/services.rb
@@ -668,7 +668,7 @@ module API
        end
        get ":id/services/:service_slug" do
          service = user_project.find_or_initialize_service(params[:service_slug].underscore)
-          present service, with: Entities::ProjectService, include_passwords: current_user.admin?
+          present service, with: Entities::ProjectService
        end
      end


--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -284,4 +284,38 @@ describe Service do
      expect(KubernetesService.find_by_template).to eq(kubernetes_service)
    end
  end
+
+  describe '#api_field_names' do
+    let(:fake_service) do
+      Class.new(Service) do
+        def fields
+          [
+            { name: 'token' },
+            { name: 'api_token' },
+            { name: 'key' },
+            { name: 'api_key' },
+            { name: 'password' },
+            { name: 'password_field' },
+            { name: 'safe_field' }
+          ]
+        end
+      end
+    end
+
+    let(:service) do
+      fake_service.new(properties: [
+        { token: 'token-value' },
+        { api_token: 'api_token-value' },
+        { key: 'key-value' },
+        { api_key: 'api_key-value' },
+        { password: 'password-value' },
+        { password_field: 'password_field-value' },
+        { safe_field: 'safe_field-value' }
+      ])
+    end
+
+    it 'filters out sensitive fields' do
+      expect(service.api_field_names).to eq(['safe_field'])
+    end
+  end
 end
--- a/spec/requests/api/services_spec.rb
+++ b/spec/requests/api/services_spec.rb
@@ -83,14 +83,14 @@ describe API::Services do
        get api("/projects/#{project.id}/services/#{dashed_service}", admin)

        expect(response).to have_gitlab_http_status(200)
-        expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list.map)
+        expect(json_response['properties'].keys).to match_array(service_instance.api_field_names)
      end

      it "returns properties of service #{service} other than passwords when authenticated as project owner" do
        get api("/projects/#{project.id}/services/#{dashed_service}", user)

        expect(response).to have_gitlab_http_status(200)
-        expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list_without_passwords)
+        expect(json_response['properties'].keys).to match_array(service_instance.api_field_names)
      end

      it "returns error when authenticated but not a project owner" do

--- a/spec/support/services_shared_context.rb
+++ b/spec/support/services_shared_context.rb
@@ -3,13 +3,9 @@ Service.available_services_names.each do |service|
    let(:dashed_service) { service.dasherize }
    let(:service_method) { "#{service}_service".to_sym }
    let(:service_klass) { "#{service}_service".classify.constantize }
-    let(:service_fields) { service_klass.new.fields }
+    let(:service_instance) { service_klass.new }
+    let(:service_fields) { service_instance.fields }
    let(:service_attrs_list) { service_fields.inject([]) {|arr, hash| arr << hash[:name].to_sym } }
-    let(:service_attrs_list_without_passwords) do
-      service_fields
-        .select { |field| field[:type] != 'password' }
-        .map { |field| field[:name].to_sym}
-    end
    let(:service_attrs) do
      service_attrs_list.inject({}) do |hash, k|
        if k =~ /^(token*|.*_token|.*_key)/