Add remote ip logging in path traversal middleware
🎏 Context
A few weeks ago, we enabled the path traversal middleware on gitlab.com . This middleware look at the accessed relative path (including query parameters) to detect path traversals.
When an attempt is detected, the middleware will:
- stop the request with a
400 Bad Requestresponse. - log the attempt.
In the past, we had cases where the logged attempts were not precise enough: they were lacking the remote_ip field. This is because the path traversal middleware is pretty early in the middleware stack. As such, the log context (which contains the remote_ip automatically) is not built, thus logs triggered by the path traversal middleware will not have that field.
We already spotted this gap previously and gitlab-org/ruby/gems/labkit-ruby#41 was opened to have a proper logging context, even in middlewares.
With this MR, we want to add the remote_ip field in the path traversal middleware without waiting for gitlab-org/ruby/gems/labkit-ruby#41. The main reason is that this field is crucial when debugging large amounts of attempts. Knowing if the bulk of the attempts come from a single IP or a small set of IPs is a useful datapoint when deciding how to apply a mitigation plan.
🤔 What does this MR do and why?
- add
remote_ipfield in the path traversal middleware logs. - update the related specs.
📖 References
🦄 Screenshots or screen recordings
No UI changes
⚗️ How to set up and validate locally
- Enable the middleware feature flag:
Feature.enable(:check_path_traversal_middleware) - Browse
http://gdk.test:8000/foo%2F..%2Fbar, you will be greeted with the error message.
Check the logs:
$ tail -f log/application_json.log | jq
...
{
...
"message": "Potential path traversal attempt detected. Feedback issue: https://gitlab.com/gitlab-org/gitlab/-/issues/520714.",
"request_rejected": true,
"remote_ip": "172.16.123.1",
...
}
...
🪄 MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.