Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 44,113
    • Issues 44,113
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,312
    • Merge requests 1,312
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #342445
Closed
Open
Issue created Oct 05, 2021 by Michael Kozono@mkozono🔴Maintainer

Stop exposing reset password token and new user email token in logs

Summary

The reset password email link token and the new user email link token are exposed in logs.

In gitlab-ctl tail on my test Omnibus instance on GitLab 14.4-pre:

==> /var/log/gitlab/gitlab-rails/production.log <==
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 606abb60-97f2-480f-8c59-4a9a240d3b94) to Sidekiq(mailers) with arguments: "Notify", "new_user_email", "deliver_now", {:args=>[2, "17uGGXB4g2DNrzqwf_To"]}

In Kibana for GitLab.com https://log.gprd.gitlab.net/goto/0a869b9d34de16f82b4e37106a213d01 (I changed the values):

[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 3c179dfe-4646-4dab-b34d-2000e14e15fe) to Sidekiq(mailers) with arguments: "DeviseMailer", "reset_password_instructions", "deliver_now", {:args=>[#<GlobalID:0x00007f7d73399df7 @uri=#<URI::GID gid://gitlab/User/1234567>>, "mtofpQMP_ghqeyXZWF-r", {}]}

Steps to reproduce

Use reset password flow or create a new user in the Admin UI, then search the logs for reset_password_instructions or new_user_email.

What is the current bug behavior?

The tokens are exposed in the logs.

What is the expected correct behavior?

The tokens should not be output to logs.

Possible fixes

Suppress these ActiveJob messages entirely, since they are redundant with Sidekiq logging.

References

https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/sidekiq_style_guide.md#arguments-logging

Edited Oct 05, 2021 by Michael Kozono
Assignee
Assign to
Time tracking