Matomo/Piwik string website ID ("Protect Track ID" plugin) causes JavaScript error on client
Summary
I noticed a bug in how GitLab supports Matomo/Piwik website ID when using the "Protect Track ID" plugin. With this plugin, website ID are strings (instead of an sequential integer which leaks information about the Matomo instance size). Because GitLab assumes it's an integer, it does not adds quotes around the ID when rendering the JavaScript code.
I understand this bug occurs when using a plugin of a third-party application but the plugin is really useful on a security level (non-sequential IDs) and the fix (see below) very easy.
Steps to reproduce
- Adds the following to
gitlab.rb
Omnibus configuration:gitlab_rails['extra_piwik_url'] = "piwik.example.com" gitlab_rails['extra_piwik_site_id'] = "foo42bar"
- Reconfigure GitLab with
gitlab-ctl reconfigure
What is the current bug behavior?
GitLab's rendered HTML contains the following invalid code (error highlighted inline by a JS comment):
<!-- Piwik -->
<script>
var _paq = _paq || [];
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//piwik.example.com/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', foo42bar]); // <--- Here is an error: string "foo42bar" used as a variable (missing quotes)
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<noscript><p><img src="//piwik.example.com/piwik.php?idsite=foo42bar" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->
Using gitlab_rails['extra_piwik_site_id'] = "'foo42bar'"
works for the <script>
block but causes issues in the src
of <noscript>
's <img>
. It's rendered with '
around the string ID`:
<img src="//piwik.example.com/piwik.php?idsite='foo42bar'" style="border:0;" alt="" />
What is the expected correct behavior?
GitLab's rendered HTML should contains the following valid code:
<!-- Piwik -->
<script>
var _paq = _paq || [];
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//piwik.example.com/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', "foo42bar"]);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<noscript><p><img src="//piwik.example.com/piwik.php?idsite=foo42bar" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->
Relevant logs and/or screenshots
The brower (Chromium) console shows the following error:
sign_in:62 Uncaught ReferenceError: foo42bar is not defined
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 7 Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.5 Go Version: go1.3.3 linux/amd64GitLab information Version: 11.10.4 Revision: 62c464651d2 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 9.6.11 URL: https://gitlab.example.com HTTP Clone URL: https://gitlab.example.com/some-group/some-project.git SSH Clone URL: git@gitlab.example.com:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers:
GitLab Shell Version: 9.0.0 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
(Not relevant)
Possible fixes
I'll open a Merge Request to fix app\views\layouts\_piwik.html.haml
.
See Merge Request !28214 (merged) that fixes app\views\layouts\_piwik.html.haml