Add rubocop rule for sensitive variable interpolation
What does this MR do and why?
Adding a security rubocop rule to alert when sensitive variables are interpolated in a string, likely to get logged.
How to set up and validate locally
Using the following file for testing:
def configuration
Runtime::Env.require_aws_s3_environment!
gitlab_rails['object_store']['objects']['lfs']['bucket'] = Runtime::Env.aws_s3_bucket_name # secure
gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
end
def configuration
Runtime::Env.require_aws_s3_environment!
<<~OMNIBUS
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}' # vulnerable
OMNIBUS
<<~OMNIBUS
gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
OMNIBUS
end
Run $ rubocop --only Gitlab/DangerousInterpolation
Output:
Offenses:
test.rb:5:88: C: Gitlab/DangerousInterpolation: Sensitive variables should not be logged.
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Edited by Ameya Darshan