Filter query-string secrets out of logged URLs (!165) · Merge requests · GitLab.org / gitlab-workhorse

Nick Thomas requested to merge nick.thomas/gitlab-workhorse:71-hide-query-string into master May 22, 2017

Modify workhorse so that private-token and authenticity-token query-string parameters are not logged. Instead, they will be displayed as authenticity_token=[FILTERED]. The remainder of the query string will be displayed unaltered

Every URL logged should be passed through ScrubURLParams. I looked into having a wrapper around the logWriter in gitlab-workhorse/logging.go, but this would slow down logging significantly and wouldn't be guaranteed to work anyway (since the message may be split into two Write() calls across the query-string boundary).

Related to #71 (closed)

Edited May 24, 2017 by Nick Thomas

Admin message

Admin message

Filter query-string secrets out of logged URLs

Merge request reports