Skip to content

Remove error/warning logs from Webpack manifest

Adrian Phinney requested to merge thecloudlesssky/gitlab:webpack-logs into master

What does this MR do?

This removes error and warning logs from the generated Webpack /assets/webpack/manifest.json.

I originally reported on HackerOne that Webpack error/warning logs are accessible for all GitLab instances (not just GitLab.com). For example: https://gitlab.com/assets/webpack/manifest.json

Omnibus builds of GitLab all share the same build from GitLab and therefore the build information itself is open source. However, if a customer builds from source and hosts their GitLab instance publicly, sensitive information such as build server directory structure or even worse sensitive information like environment variables could be accidentally made public.

I was told that GitLab doesn't consider these logs a security issue even for customers that choose to build from source. I disagree quite strongly with this and think all logs should be off by default rather than picking/choosing what logs GitLab thinks should be public by default for all instances of GitLab.

I'm really curious to know if other folks on the frontend-side of GitLab agree with keeping these logs accessible for all GitLab instances?

Screenshots

Example of current manifest.json:

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Ray Paik

Merge request reports