From 33b93174f0db9783b3c6c906666923103569c6a3 Mon Sep 17 00:00:00 2001
From: Guillaume Malette <gmalette@gmail.com>
Date: Fri, 31 Jan 2014 03:50:09 +0000
Subject: Allow filtering params based on parent keys

Add the possibility to only filter parameters based on
their full path instead of relying on the immediate key.

    config.filter_parameters += ['credit_card.code']

    { 'credit_card' => { 'code' => '[FILTERED]' },
      'source' => { 'code' => '<%= puts 5 %>' } }
---
 .../lib/action_dispatch/http/parameter_filter.rb   | 24 +++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/http/parameter_filter.rb b/actionpack/lib/action_dispatch/http/parameter_filter.rb
index df4b073a17..6e058b829e 100644
--- a/actionpack/lib/action_dispatch/http/parameter_filter.rb
+++ b/actionpack/lib/action_dispatch/http/parameter_filter.rb
@@ -30,36 +30,46 @@ module ActionDispatch
             when Regexp
               regexps << item
             else
-              strings << item.to_s
+              strings << Regexp.escape(item.to_s)
             end
           end
 
+          deep_regexps, regexps = regexps.partition { |r| r.to_s.include?("\\.") }
+          deep_strings, strings = strings.partition { |s| s.include?("\\.") }
+
           regexps << Regexp.new(strings.join('|'), true) unless strings.empty?
-          new regexps, blocks
+          deep_regexps << Regexp.new(deep_strings.join('|'), true) unless deep_strings.empty?
+
+          new regexps, deep_regexps, blocks
         end
 
-        attr_reader :regexps, :blocks
+        attr_reader :regexps, :deep_regexps, :blocks
 
-        def initialize(regexps, blocks)
+        def initialize(regexps, deep_regexps, blocks)
           @regexps = regexps
+          @deep_regexps = deep_regexps.any? ? deep_regexps : nil
           @blocks  = blocks
         end
 
-        def call(original_params)
+        def call(original_params, parents = [])
           filtered_params = {}
 
           original_params.each do |key, value|
+            parents.push(key) if deep_regexps
             if regexps.any? { |r| key =~ r }
               value = FILTERED
+            elsif deep_regexps && (joined = parents.join('.')) && deep_regexps.any? { |r| joined =~ r }
+              value = FILTERED
             elsif value.is_a?(Hash)
-              value = call(value)
+              value = call(value, parents)
             elsif value.is_a?(Array)
-              value = value.map { |v| v.is_a?(Hash) ? call(v) : v }
+              value = value.map { |v| v.is_a?(Hash) ? call(v, parents) : v }
             elsif blocks.any?
               key = key.dup if key.duplicable?
               value = value.dup if value.duplicable?
               blocks.each { |b| b.call(key, value) }
             end
+            parents.pop if deep_regexps
 
             filtered_params[key] = value
           end
-- 
cgit v1.2.3