3

Rails provides filter_parameter_logging to filter sensitive parameters from the rails log.

If you have a a JSONP API, some sensitive information could be present in the URL. Is there a way to filter request URLS from the log also?

nessur
  • 1,143
  • 1
  • 11
  • 18
readonly
  • 343,444
  • 107
  • 203
  • 205

2 Answers2

7

Note: The answer here was the way to get it work on Rails 2.x ~> 3.0. Starting from Rails 3.1, if you set config.filter_parameters, Rails will filter out the sensitive parameter in the query string as well. See this commit for more detail.

I think in that case, you need to override complete_request_uri in ActionController::Base, since ActionController::Benchmarking calls that method and prints the line that looks like:

Completed in 171ms (View: 35, DB: 7) | 200 OK [http://localhost:3000/]

I think you can put this in initializer to override this method

class ActionController::Base
  private

  def complete_request_uri
    "#{request.protocol}#{request.host}#{request.request_uri.gsub(/secret=([a-z0-9]+)/i, "secret=[FILTERTED]")}"
  end
end

Note that you need to play a bit with regular expression to make it substitute the portion you wanted.

sikachu
  • 1,212
  • 8
  • 16
  • This saved my day, thank you. I was able to simple define that function inside the controller that I wanted to filter/protect, worked great. – nessur Jul 11 '12 at 20:43
  • @nessur hey, I think this answer is quite a bit old, way way before I send a patch to fix the parameters filtering. Now, I'm pretty sure that if you set config.filter_parameters, it will also filtered out that parameter from your log. See https://github.com/rails/rails/commit/68802d0fbe9d20ef8c5f6626d4b3279bd3a42d3e and http://api.rubyonrails.org/classes/ActionDispatch/Http/FilterParameters.html for detail. If not, please file a bug on Rails so I can tackle it. – sikachu Jul 11 '12 at 23:59
  • thanks, but my problem is with a Rails 2.3.12 app that I'm maintaining. We have other Rails 3.2x apps where this filtering is fine, dandy. I don't think anyone's going to release more bugfixes for Rails 2.3, right? :) Cheers! – nessur Jul 12 '12 at 14:38
  • Yep, indeeeed. Then that's the way to go :) – sikachu Jul 12 '12 at 14:41
2

Sadly this no longer works in Rails 3. The path (including query parameters) comes from ActionDispatch::Request, which inherits from Rack::Request. Here's the relevant monkeypatch that you can throw into an initializer:

class ActionDispatch::Request
  def fullpath
    @fullpath ||= super.gsub(/secret=[^&]+/, 'secret=[FILTERED]')
  end
end

I switched to using [^&] in the regex since the parameter could easily have characters that aren't letters or numbers in it.

indirect
  • 3,470
  • 2
  • 25
  • 13
  • This worked. Thanks! Was surprised to see this was not working on `rails 3.2.11`. Hopefully this will make it into the main rails gem. – Brian Armstrong Jan 28 '13 at 03:53