Filtered parameter logging
Posted by josh August 21, 2006 @ 04:33 AM
Now that the hubbub about the recent security issues has died down, I think it's worth pointing out a little jewel that was snuck into the 1.1.6 security release of Rails that most people missed.
ActionController#filter_parameter_logging lets you filter form data that you don't want saved in the log. This is useful for preventing sensitive data like passwords and credit card numbers from being logged in the clear, for keeping huge pieces of data from clogging the log file, and so on.
If your application accepts passwords, paste this line into your ApplicationController class:
filter_parameter_logging "password"
That will prevent any field with a name matching the pattern /password/i from being logged, so both [user][password] and [user][password_confirmation] will be filtered out. If you care about preventing exposure of passwords, go do that right now.
Credit to Jeremy Evans for his patch!
How can I have POST logging enabled in development mode but completely disabled in production mode?
Joe, I think this should work to control filtering:
If you want to disable POST logging entirely, put this in your production.rb file:
Hmm, why is this in the controller, instead of the model?
@ evan: Why should it be in the model?
Controllers are about communication between the outside world of views and webservers and the inside world of business logic and databases.
The filtering of http parameters from logs is an issue controller as it’s the controller that handles the http request.
evan, models must not know anything about request params.
Because it is posted parameters logged by the controller, I would guess. They haven’t hit the model yet, and it is possible (although unlikely) they never will.
That said, doesn’t Rails log SQL querys as well that could use something similar?
Because the controller is responsible for logging request paramaters, and now – for filtering them as well.
Oh, right. I was thinking model fields, not form fields, for some reason.
I wrote the patch/plugin. I hope everyone else finds it useful.
Jeremy, very nice. Thanks!
Just a passing note to other noobie readers like myself, this also works:
filter_parameter_logging :password
In other words, symbols will work as well of course. Sorry to state the obvious but I had to stare at the example above a bit to figure out why it looked non-Railsy to me.
Oh, and very nice feature by the way! Thank you!
@stoffe this should not be a problem as you should never be storing passwords in cleartext in the database. you should be using an md5/sha1 hash (and salting it?)
that said the only thing your sql will see is an md5/sha1 hash.
Am I the only person wondering why someone would sneak new features into a critical security fix??
Zachery: I think it’s for before it hits the model and SQL. The form data itself is not hashed yet (unless you do it in javascript or something), that is what you want to prevent being logged.