Skip to content

Environment variable values are not filtered correctly in API logs, leaking sensitive data

Summary

When using any of the three environment variable API endpoints, GrapeLogging::Loggers::FilterParameters is failing to correctly filter variable values. It's actually filtering the form value of the parameter 'key', since that is a positive match in Rails.application.config.filter_parameters. In this case it's filtering the env var name the user is trying to set and printing the value to the log in all cases. This is a security issue if the user is, for example, using the API to automatically set user SSH keys, or other sensitive data.

What we want it to do is filter the value of the parameter 'value' if the value of the parameter 'key' matches the regex defined in Rails.application.config.filter_parameters.

Also, the existing filters don't appear to be case sensitive.

Steps to reproduce

  1. Start with a freshly installed GDK.
  2. Create a user with the admin role.
  3. Create a group and project for that user.
  4. Create an access token with admin api scope.
  5. Send a POST request to the Project-level variables API curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \ "https://<gitlab.example.com>/api/v4/projects/1/variables" --form "key=TEST_SSH_KEY" --form "value=-----BEGIN OPENSSH PRIVATE KEY----- This isn't actually a private key, just some testing"

What is the current bug behavior?

*** /var/log/gitlab/api_json.log ***) { ... "status":200,"method":"PUT","path":"/api/v4/projects/5/variables/TEST_SSH_KEY","params":[{"key":"masked","value":null},{"key":"variable_type","value":"file"},{"key":"value","value":"-----BEGIN OPENSSH PRIVATE KEY-----" .. }

What is the expected correct behavior?

*** /var/log/gitlab/api_json.log ***) { ... "status":200,"method":"PUT","path":"/api/v4/projects/5/variables/TEST_SSH_KEY","params":[{"key":"TEST_SSH_KEY","value":"[FILTERED]"},{"key":"variable_type","value":"file"} .. }

Results of GitLab environment info

Note that I'm reproducing this with a fresh GDK on a local machine.

Expand for output related to GitLab environment info 

System information
System:
Proxy:          no
Current User:   michael.sherron
Using RVM:      no
Ruby Version:   2.7.5p203
Gem Version:    3.1.6
Bundler Version:2.3.6
Rake Version:   13.0.6
Redis Version:  6.0.16
Sidekiq Version:6.4.0
Go Version:     go1.17.6 darwin/amd64

GitLab information
Version:        14.8.0-pre
Revision:       01756fc7608
Directory:      /Users/michael.sherron/Sites/gitlab-development-kit/gitlab
DB Adapter:     PostgreSQL
DB Version:     12.9
URL:            http://192.168.0.234:3000
HTTP Clone URL: http://192.168.0.234:3000/some-group/some-project.git
SSH Clone URL:  ssh://git@192.168.0.234:2222/some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: google_oauth2

GitLab Shell
Version:        13.23.2
Repository storage paths:
- default:      /Users/michael.sherron/Sites/gitlab-development-kit/repositories
GitLab Shell path:              /Users/michael.sherron/Sites/gitlab-development-kit/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.23.2 ? ... OK (13.23.2)
Running /Users/michael.sherron/Sites/gitlab-development-kit/gitlab-shell/bin/check
{"content_length_bytes":90,"correlation_id":"01FWRR11C781FY740B628NSSBS","duration_ms":398,"level":"info","method":"GET","msg":"Finished HTTP request","status":200,"time":"2022-02-25T15:29:41Z","url":"http://192.168.0.234:3000/api/v4/internal/check"}
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Systemd unit files or init script exist? ... yes
Projects have namespace: ...
22/1 ... yes
22/2 ... yes
25/3 ... yes
27/4 ... yes
29/5 ... yes
31/6 ... yes
33/7 ... yes
35/8 ... yes
10/9 ... yes
7/10 ... yes
3/11 ... yes
21/12 ... yes
12/13 ... yes
1/14 ... yes
5/15 ... yes
15/16 ... yes
2/17 ... yes
9/18 ... yes
70/19 ... yes
127/20 ... yes
129/22 ... yes
129/23 ... yes
129/25 ... yes
153/27 ... yes
153/28 ... yes
1/30 ... yes
153/31 ... yes
153/32 ... yes
153/33 ... yes
153/34 ... yes
153/35 ... yes
164/36 ... yes
166/37 ... yes
153/38 ... yes
153/41 ... yes
153/43 ... yes
153/45 ... yes
153/46 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git user has default SSH configuration? ... yes
Active users: ... 107
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

I have a working fix, will submit a MR.