Redact short and known private tokens

splattael commented 2 months ago

Prior this commit very short private tokens (< 4 chars) triggered: ArgumentError: negative argument

Also, if private token was a term which was part of the inspected string only the first occurrence was redacted.

Refs

https://gitlab.com/gitlab-org/quality/triage-ops/-/merge_requests/2919#note_1983270817

Verification

# Rollback production changes
git checkout master -- lib

bundle exec rspec spec/gitlab/client_spec.rb

Randomized with seed 22140

Gitlab::Client
  #inspect
    with a known private token
      is expected to include "@endpoint=" (FAILED - 1)
      is expected to include "@private_token=\"****oint\"" (FAILED - 2)
    with very short private token
      example at ./spec/gitlab/client_spec.rb:33 (FAILED - 3)
    with a private token
      is expected to include "@private_token=\"******oken\""
    with short private token
      is expected to include "@private_token=\"****\"" (FAILED - 4)
    without private token
      is expected not to include "@private_token="

Failures:

  1) Gitlab::Client#inspect with a known private token is expected to include "@endpoint="
     Failure/Error: it { is_expected.to include('@endpoint=') }
       expected "#<Gitlab::Client:0x00007f7d05a9ff90 @****oint=\"https://api.example.com\", @private_token=\"endpoint\", @user_agent=\"Gitlab Ruby Gem 5.0.0\">" to include "@endpoint="
     # ./spec/gitlab/client_spec.rb:27:in `block (4 levels) in <top (required)>'

  2) Gitlab::Client#inspect with a known private token is expected to include "@private_token=\"****oint\""
     Failure/Error: it { is_expected.to include('@private_token="****oint"') }
       expected "#<Gitlab::Client:0x00007f7d05fc9bd8 @****oint=\"https://api.example.com\", @private_token=\"endpoint\", @user_agent=\"Gitlab Ruby Gem 5.0.0\">" to include "@private_token=\"****oint\""
     # ./spec/gitlab/client_spec.rb:26:in `block (4 levels) in <top (required)>'

  3) Gitlab::Client#inspect with very short private token
     Failure/Error: "#{'*' * (token.size - 4)}#{token[-4..]}"

     ArgumentError:
       negative argument
     # ./lib/gitlab/client.rb:95:in `*'
     # ./lib/gitlab/client.rb:95:in `only_show_last_four_chars'
     # ./lib/gitlab/client.rb:80:in `inspect'
     # ./spec/gitlab/client_spec.rb:9:in `block (3 levels) in <top (required)>'
     # ./spec/gitlab/client_spec.rb:33:in `block (4 levels) in <top (required)>'

  4) Gitlab::Client#inspect with short private token is expected to include "@private_token=\"****\""
     Failure/Error: it { is_expected.to include('@private_token="****"') }
       expected "#<Gitlab::Client:0x00007f7d05cb9ba0 @endpoint=\"https://api.example.com\", @private_token=\"abcd\", @user_agent=\"Gitlab Ruby Gem 5.0.0\">" to include "@private_token=\"****\""
     # ./spec/gitlab/client_spec.rb:39:in `block (4 levels) in <top (required)>'

Finished in 0.0212 seconds (files took 0.19272 seconds to load)
6 examples, 4 failures

Failed examples:

rspec ./spec/gitlab/client_spec.rb:27 # Gitlab::Client#inspect with a known private token is expected to include "@endpoint="
rspec ./spec/gitlab/client_spec.rb:26 # Gitlab::Client#inspect with a known private token is expected to include "@private_token=\"****oint\""
rspec ./spec/gitlab/client_spec.rb:33 # Gitlab::Client#inspect with very short private token
rspec ./spec/gitlab/client_spec.rb:39 # Gitlab::Client#inspect with short private token is expected to include "@private_token=\"****\""

Randomized with seed 22140

splattael commented 2 months ago

:wave: @NARKOZ If time allows, do you mind reviewing this pull request? :pray:

NARKOZ commented 2 months ago

Thank you ❤️

NARKOZ / gitlab

Redact short and known private tokens #692

Refs

Verification