Add rubocop rule for sensitive variable interpolation (!1280) · Merge requests · GitLab.org / GitLab QA

Ameya Darshan requested to merge ameyadarshan-master-patch-88b7 into master Feb 25, 2024

What does this MR do and why?

Adding a security rubocop rule to alert when sensitive variables are interpolated in a string, likely to get logged.

How to set up and validate locally

Using the following file for testing:

def configuration
	Runtime::Env.require_aws_s3_environment!
    gitlab_rails['object_store']['objects']['lfs']['bucket'] = Runtime::Env.aws_s3_bucket_name # secure
	gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
end

def configuration
            Runtime::Env.require_aws_s3_environment!

            <<~OMNIBUS
              gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}' # vulnerable
            OMNIBUS

            <<~OMNIBUS
	      gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
	    OMNIBUS
end

Run $ rubocop --only Gitlab/DangerousInterpolation

Output:

Offenses:

test.rb:5:88: C: Gitlab/DangerousInterpolation: Sensitive variables should not be logged.
              gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}'
                                                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Edited Feb 26, 2024 by Ameya Darshan

Add rubocop rule for sensitive variable interpolation

What does this MR do and why?

How to set up and validate locally

Merge request reports