Switch the check_path_traversal_middleware feature flag from beta to ops
🎰 Context
In https://gitlab.com/groups/gitlab-org/-/epics/13437, we have been documenting a long running effort of implementing a rails middleware that will check all requests that go through the rails backend.
The goal is to check the relative path of the request and run this function. If a path traversal is detected, the middleware will block/reject the request.
The related feature flag has been enabled in %18.2 : Enable by default the path traversal middleware (!197109 - merged) • David Fernandez • 18.2.
Since we have no issues feedback in #520714 (closed), we can start wrapping up the feature flag.
The feature flag will not be cleaned up as usual. Instead, it is changed into an ops one. The reason is that the middleware check all requests and that includes future features. Thus, we could still have false positives (valid requests that are rejected by the middleware). The ops feature flag provides a safety net in case of a critical incident and we need to unblock quickly the situation.
Obviously, the feature flag is enabled by default.
🔬 What does this MR do and why?
- Change the
check_path_traversal_middlewarebetafeature flag into anopsone.
📚 References
- https://gitlab.com/groups/gitlab-org/-/epics/13437+s
- https://gitlab.com/gitlab-org/gitlab/-/issues/415460+s
🌈 Screenshots or screen recordings
No UI changes.
⚙️ How to set up and validate locally
See !165287 (merged) except, we only have a single feature flag : check_path_traversal_middleware.
🏁 MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.