filter `body` parameter for `/api/:version/projects/:id/issues/:noteable_id/notes` (and probably elsewhere)
Summary
The body
parameter is currently being logged in the structured rails log. Content that should remain private/confidential is present in logs. This is also an unstructured text field that can be large and causes unnecessary resource usage of logging infrastructure.
Steps to reproduce
Submit a valid request to the notes route: /api/:version/projects/:id/issues/:noteable_id/notes
What is the current bug behavior?
body
parameter is included in the params
element.
What is the expected correct behavior?
The body
parameter should not present or given a placeholder value like [REMOVED]
.
Relevant logs and/or screenshots
https://log.gitlab.net/goto/4f5527be8b654331c7dcb0c400037557
Output of checks
This bug happens on GitLab.com.
Possible fixes
Add to the filter list will fix the immediate issue, however, this is a repeated, ongoing issue affecting the user privacy of GitLab.com users and projects and should be addressed more systematically by changing to an allowList
explicitly listing fields to includes in logs: gitlab-org/gitlab-ce#57673