diff options
| author | Prem Sichanugrist & Xavier Noria <fxn@hashref.com> | 2011-01-01 23:51:05 +0700 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2011-03-11 00:16:18 +0100 |
| commit | 68802d0fbe9d20ef8c5f6626d4b3279bd3a42d3e (patch) | |
| tree | 1b8b15255e7719ad947fc404299b7c7e62598b17 /actionpack/test/dispatch/request_test.rb | |
| parent | 51a269b2282ec09cf58614e738a2d0e40d2909d3 (diff) | |
| download | rails-68802d0fbe9d20ef8c5f6626d4b3279bd3a42d3e.tar.gz rails-68802d0fbe9d20ef8c5f6626d4b3279bd3a42d3e.tar.bz2 rails-68802d0fbe9d20ef8c5f6626d4b3279bd3a42d3e.zip | |
Filter sensitive query string parameters in the log [#6244 state:committed]
This provides more safety to applications that put secret information in the query string, such as API keys or SSO tokens.
Signed-off-by: Xavier Noria <fxn@hashref.com>
Diffstat (limited to 'actionpack/test/dispatch/request_test.rb')
| -rw-r--r-- | actionpack/test/dispatch/request_test.rb | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/request_test.rb b/actionpack/test/dispatch/request_test.rb index dd5bf5ec2d..f03ae7f2b3 100644 --- a/actionpack/test/dispatch/request_test.rb +++ b/actionpack/test/dispatch/request_test.rb @@ -518,6 +518,44 @@ class RequestTest < ActiveSupport::TestCase assert_equal "1", request.params["step"] end + test "filtered_path returns path with filtered query string" do + %w(; &).each do |sep| + request = stub_request('QUERY_STRING' => %w(username=sikachu secret=bd4f21f api_key=b1bc3b3cd352f68d79d7).join(sep), + 'PATH_INFO' => '/authenticate', + 'action_dispatch.parameter_filter' => [:secret, :api_key]) + + path = request.filtered_path + assert_equal %w(/authenticate?username=sikachu secret=[FILTERED] api_key=[FILTERED]).join(sep), path + end + end + + test "filtered_path should not unescape a genuine '[FILTERED]' value" do + request = stub_request('QUERY_STRING' => "secret=bd4f21f&genuine=%5BFILTERED%5D", + 'PATH_INFO' => '/authenticate', + 'action_dispatch.parameter_filter' => [:secret]) + + path = request.filtered_path + assert_equal "/authenticate?secret=[FILTERED]&genuine=%5BFILTERED%5D", path + end + + test "filtered_path should preserve duplication of keys in query string" do + request = stub_request('QUERY_STRING' => "username=sikachu&secret=bd4f21f&username=fxn", + 'PATH_INFO' => '/authenticate', + 'action_dispatch.parameter_filter' => [:secret]) + + path = request.filtered_path + assert_equal "/authenticate?username=sikachu&secret=[FILTERED]&username=fxn", path + end + + test "filtered_path should ignore searchparts" do + request = stub_request('QUERY_STRING' => "secret", + 'PATH_INFO' => '/authenticate', + 'action_dispatch.parameter_filter' => [:secret]) + + path = request.filtered_path + assert_equal "/authenticate?secret", path + end + protected def stub_request(env = {}) |