Add prefix to User#static_object_token
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
A static_object_token is generated in User. As defense in depth we should add a static prefix to these, to enable easier detection if an admin / user accidentally leaks the secrets. This is not a vulnerability.
app/models/user.rb:78:3: C: Gitlab/TokenWithoutPrefix: Tokens should be prefixed. See doc/development/secure_coding_guidelines.md#token-prefixes for more information.
add_authentication_token_field :static_object_token, encrypted: :optional
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Relevant:
- https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-team/-/issues/482
- Enforce prefixing for new tokens (#439007 - closed)
- https://docs.gitlab.com/ee/administration/static_objects_external_storage.html (docs owned by ~"group::ide" )
- https://docs.gitlab.com/security/tokens/#token-prefixes
Edited by Nick Malcolm