From 180dcd1bfa801ad132343c64245db606bd85ed96 Mon Sep 17 00:00:00 2001 From: Zhang Kang Date: Fri, 7 Sep 2018 09:46:54 +0800 Subject: Configuration item `config.filter_parameters` could also filter out sensitive value of database column when call `#inspect` * Why Some sensitive data will be exposed in log accidentally by calling `#inspect`, e.g. ```ruby @account = Account.find params[:id] payload = { account: @account } logger.info "payload will be #{ payload }" ``` All the information of `@account` will be exposed in log. * Solution Add a class attribute filter_attributes to specify which values of columns shouldn't be exposed. This attribute equals to `Rails.application.config.filter_parameters` by default. ```ruby Rails.application.config.filter_parameters += [:credit_card_number] Account.last.insepct # => # ``` --- railties/test/application/configuration_test.rb | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'railties/test/application') diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index c2699006f6..f5119b1931 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -1996,6 +1996,15 @@ module ApplicationTests assert_equal false, ActionView::Template.finalize_compiled_template_methods end + test "ActiveRecord::Base.filter_attributes should equal to filter_parameters" do + app_file "config/initializers/filter_parameters_logging.rb", <<-RUBY + Rails.application.config.filter_parameters += [ :password, :credit_card_number ] + RUBY + app "development" + assert_equal [ :password, :credit_card_number ], Rails.application.config.filter_parameters + assert_equal [ :password, :credit_card_number ], ActiveRecord::Base.filter_attributes + end + private def force_lazy_load_hooks yield # Tasty clarifying sugar, homie! We only need to reference a constant to load it. -- cgit v1.2.3