Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #342445

Stop exposing reset password token and new user email token in logs

Summary

The reset password email link token and the new user email link token are exposed in logs.

In gitlab-ctl tail on my test Omnibus instance on GitLab 14.4-pre:

==> /var/log/gitlab/gitlab-rails/production.log <==
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 606abb60-97f2-480f-8c59-4a9a240d3b94) to Sidekiq(mailers) with arguments: "Notify", "new_user_email", "deliver_now", {:args=>[2, "17uGGXB4g2DNrzqwf_To"]}

In Kibana for GitLab.com https://log.gprd.gitlab.net/goto/0a869b9d34de16f82b4e37106a213d01 (I changed the values):

[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 3c179dfe-4646-4dab-b34d-2000e14e15fe) to Sidekiq(mailers) with arguments: "DeviseMailer", "reset_password_instructions", "deliver_now", {:args=>[#<GlobalID:0x00007f7d73399df7 @uri=#<URI::GID gid://gitlab/User/1234567>>, "mtofpQMP_ghqeyXZWF-r", {}]}

Steps to reproduce

Use reset password flow or create a new user in the Admin UI, then search the logs for reset_password_instructions or new_user_email.

What is the current bug behavior?

The tokens are exposed in the logs.

What is the expected correct behavior?

The tokens should not be output to logs.

Possible fixes

Suppress these ActiveJob messages entirely, since they are redundant with Sidekiq logging.

References

https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/sidekiq_style_guide.md#arguments-logging

Edited Oct 05, 2021 by Michael Kozono
Assignee
Assign to
Time tracking