From 69ab91ae9396f0101afd13871f179a7f779d3178 Mon Sep 17 00:00:00 2001
From: Lukasz Sarnacki <lukesarnacki@gmail.com>
Date: Thu, 23 Jan 2014 16:31:52 +0100
Subject: Log which keys were set to nil in deep_munge

deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.

Also mentions in guides were added.
---
 actionpack/lib/action_dispatch/request/utils.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb
index a6dca9741c..9d4f1aa3c5 100644
--- a/actionpack/lib/action_dispatch/request/utils.rb
+++ b/actionpack/lib/action_dispatch/request/utils.rb
@@ -7,18 +7,23 @@ module ActionDispatch
 
       class << self
         # Remove nils from the params hash
-        def deep_munge(hash)
+        def deep_munge(hash, keys = [])
           return hash unless perform_deep_munge
 
           hash.each do |k, v|
+            keys << k
             case v
             when Array
-              v.grep(Hash) { |x| deep_munge(x) }
+              v.grep(Hash) { |x| deep_munge(x, keys) }
               v.compact!
-              hash[k] = nil if v.empty?
+              if v.empty?
+                hash[k] = nil
+                ActiveSupport::Notifications.instrument("deep_munge.action_controller", keys: keys)
+              end
             when Hash
-              deep_munge(v)
+              deep_munge(v, keys)
             end
+            keys.pop
           end
 
           hash
-- 
cgit v1.2.3