Expand potential leak warnings to use configured prefixes on a self-managed instance

Release notes

Warnings for potential leaks in text content has now been expanded on Self-Managed instances to use a custom prefix if one has been configured. Previously, only the default prefix glpat- was checked.

Problem to solve

Introduced in GitLab 15.11, the new feature provides a great tool to warn a user when they may be posting a sensitive token value. In its current state, the code consists of a hardcoded regex which does not consider a custom-set prefix, only the default of glpat-.

For example, on a Self-Managed instance, an Administrator can set a prefix for new personal access tokens to use a particular format (such as: acmepat-). All new tokens created will use this format, but not be checked.

Proposal

The token prefix is saved as Gitlab::CurrentSettings.current_application_settings.personal_access_token_prefix within Rails, and could be passed to the front-end.

If the setting has been modified, the value should be added as a third Regex check, similar to:

{
    name: 'GitLab Custom Prefix Personal Access Token',
    regex: '<prefix>[0-9a-zA-Z_-]{20}',
  },

Intended users

• Sidney (Systems Administrator)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Related:

• #368434 (closed)
• &8668
• #405147 (closed)