Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1
    • Merge requests 1
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #22537
Closed
Open
Created Sep 23, 2016 by Jacob Vosmaer@jacobvosmaer-gitlabDeveloper

GitLab sends HTTP headers containing user API tokens to Sentry

Example: https://sentry.gitlap.com/gitlab/gitlabcom/issues/11904/ , scroll down to 'Headers', 'Show more', look for 'Private-Token'.

We also send 'Authorization' headers but I think Sentry filters those on the server side. That is still not good because it means we hand over unencrypted user passwords to Sentry. Edit: it looks like the Ruby Sentry client scrubs 'Authorization' client-side, before sending it to Sentry.

In the case of gitlab.com this is bad but at least we 'own' the Sentry server (we run an 'on premises' version). For other GitLab installations that integrate with Sentry.io the problem is worse because they have been sending passwords and API tokens equivalent to passwords to a third-party SaaS.

cc @stanhu @DouweM

Assignee
Assign to
Time tracking