Skip to content

Filter additional parameters that have shown up in our logs

Stan Hu requested to merge sh-filter-csrf-params into master

Upon inspection of logs, there were a number of fields not filtered. For example:

  • authenticity_token: CSRF token
  • rss_token: Used for RSS feeds
  • secret: Used with Projects::UploadController

Rails provides a way to match regexps, so we now filter:

  • Any parameter ending with _token
  • Any parameter containing password
  • Any parameter containing secret
Edited by 🤖 GitLab Bot 🤖

Merge request reports