From bd0bfdd1476ca8b44ca41a1d6c4f8c830dc59503 Mon Sep 17 00:00:00 2001
From: Mark Chao <mchao@gitlab.com>
Date: Wed, 31 Oct 2018 11:28:33 +0800
Subject: [PATCH] Redact sensitive information on workhorse log

---
 GITLAB_WORKHORSE_VERSION                                | 2 +-
 changelogs/unreleased/security-182-update-workhorse.yml | 5 +++++
 config/application.rb                                   | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-182-update-workhorse.yml

diff --git a/GITLAB_WORKHORSE_VERSION b/GITLAB_WORKHORSE_VERSION
index 21c8c7b46b8..1996c504476 100644
--- a/GITLAB_WORKHORSE_VERSION
+++ b/GITLAB_WORKHORSE_VERSION
@@ -1 +1 @@
-7.1.1
+7.1.3
diff --git a/changelogs/unreleased/security-182-update-workhorse.yml b/changelogs/unreleased/security-182-update-workhorse.yml
new file mode 100644
index 00000000000..76850901b68
--- /dev/null
+++ b/changelogs/unreleased/security-182-update-workhorse.yml
@@ -0,0 +1,5 @@
+---
+title: Redact sensitive information on gitlab-workhorse log
+merge_request:
+author:
+type: security
diff --git a/config/application.rb b/config/application.rb
index 796aa85e113..cdc50372011 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -97,6 +97,9 @@ module Gitlab
     # - Webhook URLs (:hook)
     # - Sentry DSN (:sentry_dsn)
     # - File content from Web Editor (:content)
+    #
+    # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
+    #       introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
     config.filter_parameters += [/token$/, /password/, /secret/, /key$/]
     config.filter_parameters += %i(
       certificate
-- 
GitLab