Mask filterable parameters from sanitised URLs
What does this MR do?
Sanitised URLS are used for logging and display purposes only, and are intended to prevent sensitive information, such as credentials and access tokens.
This change ensures that if URLs contain certain parameters, as configured by Rails.application.config.filter_parameters
, these parameters in the sanitised URL will be masked with the phrase [FILTERED]
.
This is required for distributed tracing, which emits the http.url
field, which is intended to include the full URL including querystring parameters. Since we want to avoid sensitive information was as ?private_token
values leaking, we need to mask the URL
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process. -
Security reports checked/validated by reviewer
Edited by Andrew Newdigate