CODEWITHSUNDEEP
ruby-on-railsrubyparametersfiltering
user2012677
user2012677

Reputation: 5745

Parameter filter for password not working (Ruby on Rails)

I am creating a logging method in my application controller. I have the following setup, but for some reason, my parameter filter is not filtering the password. What is missing? How do I make sure my app is secure and that all the password parameters are being filtered?

config/applicaton.rb

  # Configure sensitive parameters which will be filtered from the log file.
  config.filter_parameters += [:password]

applicaton controller

  before_filter :record_activity

  def record_activity(note = nil)
      @activity={}
      @activity['user'] = current_user
      @activity['note'] = note
      @activity['browser'] = request.env['HTTP_USER_AGENT']
      @activity['ip_address'] = request.env['REMOTE_ADDR']
      @activity['controller'] = controller_name 
      @activity['action'] = action_name 
      @activity['params'] = log_filter(params.inspect)
      p @activity
  end

OUTPUT IN TERMINAL

    15:39:38 web.1    | 
{"user"=>nil, 
"note"=>nil, 
"browser"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0",
 "ip_address"=>"127.0.0.1", 
"controller"=>"sessions", 
"action"=>"create", 
"params"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"dYofOQ64sTajNVn2JiJWVM+E3kz5jCGazrYBObukBAQ=\", 
\"user\"=>{\"email\"=>\"[email protected]\",
 \"password\"=>\"thepasswordexposed\",
 \"remember_me\"=>\"0\"}, 
\"commit\"=>\"Login\", 
\"action\"=>\"create\", 
\"controller\"=>\"sessions\"}"}

*EDIT: * I've added the following, but it still does not work, any recommendation?

  def log_filter(hash)
    filters = Rails.application.config.filter_parameters
    f = ActionDispatch::Http::ParameterFilter.new filters
    f.filter hash
  end

Error on line 36 ...

NoMethodError at /users/sign_in    
undefined method `each' for #<String:0x007fa0280b3a68>

36     f.filter hash

ANSWER:

My solution was as follows, I needed to remove the .inspect and it started working.

  def record_activity(note = nil)
      @activity={}
      @activity['user'] = current_user
      @activity['note'] = note
      @activity['browser'] = request.env['HTTP_USER_AGENT']
      @activity['ip_address'] = request.env['REMOTE_ADDR']
      @activity['controller'] = controller_name 
      @activity['action'] = action_name 
      @activity['params'] = params
      p @activity
  end

Upvotes: 1

Views: 3195

Answers (1)

Danil Speransky
Danil Speransky

Reputation: 30453

That is because config.filter_parameters is just for http parameters (which you get then in params). It will not work with your own objects.

So if you make a request then in log file you will have some standard information

Started GET "/en/projects/1/edit" for 127.0.0.1 at 2013-04-28 04:13:11 +0700
Processing by ProjectsController#edit as HTML
  Parameters: {"locale"=>"en", "id"=>"1"}

In row with Parameters value for password will be filtered it is there.

But if you use p or puts it will not work.

Here way for manually filter parameters

Upvotes: 4

Related Questions