Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #342445
Closed
Open
Issue created Oct 05, 2021 by Michael Kozono@mkozono2️⃣Maintainer

Stop exposing reset password token and new user email token in logs

Summary

The reset password email link token and the new user email link token are exposed in logs.

In gitlab-ctl tail on my test Omnibus instance on GitLab 14.4-pre:

==> /var/log/gitlab/gitlab-rails/production.log <==
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 606abb60-97f2-480f-8c59-4a9a240d3b94) to Sidekiq(mailers) with arguments: "Notify", "new_user_email", "deliver_now", {:args=>[2, "17uGGXB4g2DNrzqwf_To"]}

In Kibana for GitLab.com https://log.gprd.gitlab.net/goto/0a869b9d34de16f82b4e37106a213d01 (I changed the values):

[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 3c179dfe-4646-4dab-b34d-2000e14e15fe) to Sidekiq(mailers) with arguments: "DeviseMailer", "reset_password_instructions", "deliver_now", {:args=>[#<GlobalID:0x00007f7d73399df7 @uri=#<URI::GID gid://gitlab/User/1234567>>, "mtofpQMP_ghqeyXZWF-r", {}]}

Steps to reproduce

Use reset password flow or create a new user in the Admin UI, then search the logs for reset_password_instructions or new_user_email.

What is the current bug behavior?

The tokens are exposed in the logs.

What is the expected correct behavior?

The tokens should not be output to logs.

Possible fixes

Suppress these ActiveJob messages entirely, since they are redundant with Sidekiq logging.

References

https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/sidekiq_style_guide.md#arguments-logging

Edited Oct 05, 2021 by Michael Kozono
Assignee
Assign to
Time tracking