PRIVATE-TOKEN is logged as part of `json.path`
Original Issue
Summary
- Some messages are logging the
request.fullpathand hence not doing any filtering -
PRIVATE-TOKENis not filtered
Impact
Customer glpat- are exposed in Kibana logs
Recommendation
- Use
request.filtered_pathwhen logging. - Add
PRIVATE-TOKENto filter parameter list.
The known logs are Rack_Attack and Application_Rate_Limiter_Request
Probable places in code :
app/controllers/application_controller.rblib/gitlab/middleware/path_traversal_check.rblib/gitlab/middleware/go.rblib/gitlab/application_rate_limiter.rblib/gitlab/auth.rbapp/controllers/concerns/invisible_captcha_on_signup.rb
Verification
Check Kibana logs for json.path: glpat
Summary
Some log messages include request.fullpath without applying filters, resulting in sensitive information being logged. Specifically, PRIVATE-TOKEN values, such as glpat- tokens, are visible in Kibana logs without filtering.
Steps to Reproduce
- Trigger a log entry containing a
glpat-token. See this comment - Check the logs in Kibana for unfiltered entries where the
PRIVATE-TOKENappears
What is the Current Bug Behaviour?
Logs capture and expose sensitive tokens (e.g., glpat- tokens) in plain text within Kibana logs.
What is the Expected Correct Behaviour?
Logs should filter sensitive information, ensuring PRIVATE-TOKEN values are not displayed in logs.
Relevant Logs and/or Screenshots
Example impacted logs:
Probable Code Locations
app/controllers/application_controller.rblib/gitlab/middleware/path_traversal_check.rblib/gitlab/middleware/go.rblib/gitlab/application_rate_limiter.rblib/gitlab/auth.rbapp/controllers/concerns/invisible_captcha_on_signup.rb
Recommendation
- Replace
request.fullpathwithrequest.filtered_pathin logging - Add
PRIVATE-TOKENto the filter parameter list to prevent exposure in logs
Verification
Check the Kibana logs post-update to confirm that sensitive tokens, such as glpat, no longer appear unfiltered in log entries.
Edited by Hakeem Abdul-Razak