Webhook token leaked in Sidekiq logs if log format is 'default'
Summary
If the logging format is default, X-Gitlab-Token is displayed in clear text in the Sidekiq logs during the WebHooks::LogExecutionWorker execution. This does not seem to occur if the log format is set to json.
The cleartext token appears in the arguments for the WebHooks::LogExecutionWorker, which is the log_data JSON payload. When log format is set to json, the args shows log_data as [FILTERED].
This has been reproduced on GitLab Helm chart 15.11, and GitLab Omnibus. A GitLab customer has reported this via Support. ZenDesk ticket refers (internal).
This relates to an earlier issue that has been resolved: #381895 (closed)
Steps to reproduce
- Set the Sidekiq log format to
default - Create a Group with a Project
- Create a Group webhook with a secret token for
pushevents - Commit to the project
- Check Sidekiq logs for
X-Gitlab-Token
Example Project
What is the current bug behavior?
X-Gitlab-Token is logged in cleartext to the Sidekiq logs.
What is the expected correct behavior?
X-Gitlab-Token is redacted in the Sidekiq logs.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)