Webhook token leaked in Sidekiq logs if log format is 'default'
Summary
If the logging format is default
, X-Gitlab-Token
is displayed in clear text in the Sidekiq logs during the WebHooks::LogExecutionWorker
execution. This does not seem to occur if the log format is set to json
.
The cleartext token appears in the arguments
for the WebHooks::LogExecutionWorker
, which is the log_data
JSON payload. When log format is set to json
, the args
shows log_data
as [FILTERED]
.
This has been reproduced on GitLab Helm chart 15.11, and GitLab Omnibus. A GitLab customer has reported this via Support. ZenDesk ticket refers (internal).
This relates to an earlier issue that has been resolved: #381895 (closed)
Steps to reproduce
- Set the Sidekiq log format to
default
- Create a Group with a Project
- Create a Group webhook with a secret token for
push
events - Commit to the project
- Check Sidekiq logs for
X-Gitlab-Token
Example Project
What is the current bug behavior?
X-Gitlab-Token
is logged in cleartext to the Sidekiq logs.
What is the expected correct behavior?
X-Gitlab-Token
is redacted in the Sidekiq logs.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)