Skip to content
Snippets Groups Projects
Commit 562bd180 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'security-datadog-integration-leaking' into 'master'

Security datadog integration leaking

See merge request gitlab-org/security/gitlab!2574
parents 1399a580 e4d79c0d
No related branches found
No related tags found
No related merge requests found
......@@ -22,6 +22,7 @@ class WebHookLog < ApplicationRecord
validates :web_hook, presence: true
before_save :obfuscate_basic_auth
before_save :redact_author_email
def self.recent
where('created_at >= ?', 2.days.ago.beginning_of_day)
......@@ -52,4 +53,10 @@ def oversize?
def obfuscate_basic_auth
self.url = safe_url
end
def redact_author_email
return unless self.request_data.dig('commit', 'author', 'email').present?
self.request_data['commit']['author']['email'] = _('[REDACTED]')
end
end
......@@ -30,15 +30,12 @@
end
describe '#save' do
let(:web_hook_log) { build(:web_hook_log, url: url) }
let(:url) { 'http://example.com' }
subject { web_hook_log.save! }
context 'with basic auth credentials' do
let(:web_hook_log) { build(:web_hook_log, url: 'http://test:123@example.com') }
it { is_expected.to eq(true) }
subject { web_hook_log.save! }
context 'with basic auth credentials' do
let(:url) { 'http://test:123@example.com'}
it { is_expected.to eq(true) }
it 'obfuscates the basic auth credentials' do
subject
......@@ -46,6 +43,30 @@
expect(web_hook_log.url).to eq('http://*****:*****@example.com')
end
end
context 'with author email' do
let(:author) { create(:user) }
let(:web_hook_log) { create(:web_hook_log, request_data: data) }
let(:data) do
{
commit: {
author: {
name: author.name,
email: author.email
}
}
}.deep_stringify_keys
end
it "redacts author's email" do
expect(web_hook_log.request_data['commit']).to match a_hash_including(
'author' => {
'name' => author.name,
'email' => _('[REDACTED]')
}
)
end
end
end
describe '.delete_batch_for' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment