By default, rails will insert all parameters into the logs. This is useful for debugging, but not so grand when the parameters are sensitive eg:
Parameters: {"user"=>{"login => "mylogin", "answer"=>"my answer", "question"=>"my question ", "terms"=>"1", "new_password"=>"mypass123", "new_password_confirmation"=>"mypass123"}, commit => "Activate my account", "_method"=>"put"} ...
OR
Parameters: {"commit"=>"Log in", "action"=>"create", "controller"=>"sessions", "password"=>"mypass123", "login"=>"mylogin"} ...
It's a one-liner for rails to filter this out. Just add this line to the top of the relevant controller(s):
class SessionsController < ApplicationController # filter out sensitive fields from the log filter_parameter_logging 'password' # rest of controller goes here... end class UsersController < ApplicationController # filter out sensitive fields from the log filter_parameter_logging 'password', 'question', 'answer', 'given_answer' # rest of controller goes here... end
This will turn the required log lines into:
Parameters: {"user"=>{"login => "mylogin", "answer"=>"[FILTERED]", "question"=>"[FILTERED] ", "terms"=>"1", "new_password"=>"[FILTERED]", "new_password_confirmation"=>"[FILTERED]"}, commit => "Activate my account", "_method"=>"put"} ...
OR
Parameters: {"commit"=>"Log in", "action"=>"create", "controller"=>"sessions", "password"=>"[FILTERED]", "login"=>"mylogin"} ...
Note that it's even smart enough to automatically filter out the "password_confirmation" field without requiring a specific reference to it.
No comments:
Post a Comment