353857: Filter environment variable logs
What does this MR do and why?
Adds a new EnvVarsLogger to gitlab/lib/api/api.rb, in order to correctly filter sensitive keys and values when submitted to any of the three environment variables API endpoints (instance, group, and project).
API Log examples
Bug behavior
*** /var/log/gitlab/api_json.log ***) { ... "status":200,"method":"PUT","path":"/api/v4/projects/5/variables/TEST_SSH_KEY","params":[{"key":"masked","value":null},{"key":"variable_type","value":"file"},{"key":"value","value":"-----BEGIN OPENSSH PRIVATE KEY-----" .. }
Expected behavior
*** /var/log/gitlab/api_json.log ***) { ... "status":200,"method":"PUT","path":"/api/v4/projects/5/variables/TEST_SSH_KEY","params":[{"key":"TEST_SSH_KEY","value":"[FILTERED]"},{"key":"variable_type","value":"file"} .. }
See my description in issue #353857 (closed) . As is, if the user submits an environment variable key with a name like 'TEST_SSH_KEY', the param 'key' has it's value masked, but the param 'value' is actually printed to the log. Which in the case of a personal SSH key, is a security issue.
How to set up and validate locally
- Start with a freshly installed GDK.
- Create a user with the admin role.
- Create a group and project for that user.
- Create an access token with admin api scope.
- Send a POST request to the Project-level variables API
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \ "https://<gitlab.example.com>/api/v4/projects/1/variables" --form "key=TEST_SSH_KEY" --form "value=-----BEGIN OPENSSH PRIVATE KEY----- This isn't actually a private key, just some testing"
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #353857 (closed) @gitlab-com/gl-security/appsec security