Skip to content

Fix Sentry tracking of SQL queries

Heinrich Lee Yu requested to merge track-sql-queries-sentry into master

What does this MR do?

This is a follow-up to !45975 (merged) so that we could also track SQL queries when the exception happens in controllers / views.

The previous solution only worked if we explicitly called Gitlab::ErrorTracking#process_exception. This works in the API / Grape because we do this in https://gitlab.com/gitlab-org/gitlab/blob/cfaea0341c60a8b18016629bf15e8e4d0948a777/lib/api/helpers.rb#L469.

But for Rails controllers / views, these are already caught automatically by sentry-raven and do not go through the Gitlab::ErrorTracking methods.

So this MR moves the SQL injection logic to the before_send hook.

This also checks exception.cause for cases where the exception is wrapped by another one. This happens when the exception is triggered in views.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Heinrich Lee Yu

Merge request reports

Loading