Skip to content

Check custom PAT prefixes with potential leak warnings

Ben King requested to merge benjaminking-custom-pat-prefix into master

What does this MR do and why?

Related to #411146 (closed)

In GitLab 15.11, front-end code now checks to see if a sensitive token value is included in a proposed merge request, comment or issue. In its first iteration, the code only checks against a personal access token, consisting of regex strings:

  • glpat-[0-9a-zA-Z_-]{20}
  • feed_token=[0-9a-zA-Z_-]{20}

This merge request adds additional functionality to the feature by checking the configured prefix on a Self-Managed instance, and considering this as another rule that may contain a sensitive token value.

To accomplish this, JavaScript is given the current PAT prefix value though the use of lib/gitlab/gon_helper.rb, and structures the regex as a string:

{
      name: 'GitLab Personal Access Token',
    regex: 'glpat-[0-9a-zA-Z_-]{20}',
      regex: `${patPrefix}[0-9a-zA-Z_-]{20}`,
    },

Screenshots or screen recordings

prefix-test

How to set up and validate locally

  1. Without configuring a custom prefix, create a Personal Access Token. This should contain the default prefix of glpat-.
  2. Create an issue on any project, and prepare a comment. Include in the comment the PAT you just generated. A warning will be presented to indicate you might be sharing sensitive token data, which is the current behaviour.
  3. Configure a Personal Access Token Prefix in the admin area of the instance and Save changes.
  4. Create another new Personal Access Token. When viewed, this should consist of a prefix value matching what you configured as a custom prefix.
  5. On the same or new issue, include in the comment the PAT you just generated, which should have the custom prefix. The same warning will be presented.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ben King

Merge request reports

Loading