Merge branch 'security-fix-leaking-kubernetes-cluster-ip' into 'master'

Remove Kubernetes IP address from errors returned in Threat Monitoring See merge request gitlab-org/security/gitlab!1155

Merge branch 'security-fix-leaking-kubernetes-cluster-ip' into 'master'
Remove Kubernetes IP address from errors returned in Threat Monitoring See merge request gitlab-org/security/gitlab!1155
eca2a3e9 · GitLab Release Tools Bot · 0a81cbbe · 26e688bf · eca2a3e9 · eca2a3e9
Commit eca2a3e9 authored Jan 27, 2021 by GitLab Release Tools Bot
7 changed files
--- a/ee/app/services/network_policies/delete_resource_service.rb
+++ b/ee/app/services/network_policies/delete_resource_service.rb
@@ -23,7 +23,7 @@ module NetworkPolicies

      ServiceResponse.success
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end
  end
 end
--- a/ee/app/services/network_policies/deploy_resource_service.rb
+++ b/ee/app/services/network_policies/deploy_resource_service.rb
@@ -26,7 +26,7 @@ module NetworkPolicies
      load_policy_from_resource
      ServiceResponse.success(payload: policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end

    private

--- a/ee/app/services/network_policies/find_resource_service.rb
+++ b/ee/app/services/network_policies/find_resource_service.rb
@@ -16,7 +16,7 @@ module NetworkPolicies

      ServiceResponse.success(payload: get_policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end

    private

--- a/ee/changelogs/unreleased/289930-fix-leaking-kubernetes-cluster-ip.yml
+++ b/ee/changelogs/unreleased/289930-fix-leaking-kubernetes-cluster-ip.yml
+---
+title: Remove Kubernetes IP address from error messages returned in Threat Monitoring
+merge_request:
+author:
+type: security
--- a/ee/spec/services/network_policies/delete_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/delete_resource_service_spec.rb
@@ -49,8 +49,11 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -58,6 +61,10 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end

    context 'with CiliumNetworkPolicy' do

--- a/ee/spec/services/network_policies/deploy_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/deploy_resource_service_spec.rb
@@ -94,8 +94,11 @@ RSpec.describe NetworkPolicies::DeployResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -103,6 +106,10 @@ RSpec.describe NetworkPolicies::DeployResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end

    context 'with cilium network policy' do

--- a/ee/spec/services/network_policies/find_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/find_resource_service_spec.rb
@@ -62,8 +62,11 @@ RSpec.describe NetworkPolicies::FindResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -71,6 +74,10 @@ RSpec.describe NetworkPolicies::FindResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end
  end
 end