A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://gitlab.com/gitlab-org/gitlab-qa/-/merge_requests/1280 below:

Add rubocop rule for sensitive variable interpolation (!1280) · Merge requests · GitLab.org

Skip to content Add rubocop rule for sensitive variable interpolation What does this MR do and why?

Adding a security rubocop rule to alert when sensitive variables are interpolated in a string, likely to get logged.

How to set up and validate locally

Using the following file for testing:

def configuration
	Runtime::Env.require_aws_s3_environment!
    gitlab_rails['object_store']['objects']['lfs']['bucket'] = Runtime::Env.aws_s3_bucket_name # secure
	gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
end

def configuration
            Runtime::Env.require_aws_s3_environment!

            <<~OMNIBUS
              gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}' # vulnerable
            OMNIBUS

            <<~OMNIBUS
	      gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}' # secure
	    OMNIBUS
end

Run $ rubocop --only Gitlab/DangerousInterpolation

Output:

Offenses:

test.rb:5:88: C: Gitlab/DangerousInterpolation: Sensitive variables should not be logged.
              gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}'
                                                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Edited Feb 26, 2024 by Ameya Darshan

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4