Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #1897 (closed enhancement: fixed)

Opened 3 years ago

Last modified 2 years ago

[PATCH] Filter logging of parameter hash

Reported by: jeremye@bsa.ca.gov Assigned to: David
Priority: normal Milestone:
Component: ActiveSupport Version: 0.13.1
Severity: normal Keywords:
Cc:

Description

This patch changes the logging of the parameter hash to exclude passwords. It removes any key that contains the word password from the params hash and all subhashes before logging.

Note that passwords may still leak into the logs if you are logging all SQL code and the password is used in a query, but there's not really a way around that.

Attachments

dont_log_passwords.diff (2.1 kB) - added by jeremye@bsa.ca.gov on 08/03/05 15:28:59.
hash_remove_passwords.diff (2.8 kB) - added by jeremye@bsa.ca.gov on 08/04/05 14:47:38.
2nd version with unit tests
hash_remove_passwords_v2.diff (3.5 kB) - added by jeremye@bsa.ca.gov on 08/04/05 14:52:03.
Add changing the logging message in actionpack
filter_logged_params.diff (2.5 kB) - added by jeremye@bsa.ca.gov on 09/13/05 15:14:51.
Easy and configurable param logging filter
filter_logged_params_v2.diff (2.6 kB) - added by jeremye@bsa.ca.gov on 09/14/05 10:27:37.
Fixes problems with replacing strings using a block, doesn't pass hash values to the block.
filter_logged_params_v3.diff (5.3 kB) - added by jeremye@bsa.ca.gov on 09/15/05 17:23:41.
Fix when no block is provided, add tests

Change History

08/03/05 15:28:59 changed by jeremye@bsa.ca.gov

  • attachment dont_log_passwords.diff added.

08/04/05 13:43:41 changed by ulysses

Hi Jeremy,

I know the code may seem trivial, but please add some unit tests for the proposed changes.

In addition, you should only need value.is_a?(Hash) -- All indifferent hashes are hashes, so checking is_a? twice is pointless.

08/04/05 14:47:38 changed by jeremye@bsa.ca.gov

  • attachment hash_remove_passwords.diff added.

2nd version with unit tests

08/04/05 14:52:03 changed by jeremye@bsa.ca.gov

  • attachment hash_remove_passwords_v2.diff added.

Add changing the logging message in actionpack

08/04/05 15:18:24 changed by jeremye@bsa.ca.gov

  • component changed from ActiveRecord to ActiveSupport.

I've added a new patch that includes unit tests and fixes a couple problems with the previous patch.

When I first wrote the patch, checking just is_a?(Hash) wasn't working for HashWithIndifferentAccess. As I was writing the unit tests I found that is_a? wasn't working correctly even for regular hashes, so I changed it to use respond_to?. respond_to? makes more sense anyway, as you could now add that method to any class from which you wanted passwords removed.

09/11/05 08:52:40 changed by david

  • summary changed from [PATCH] Don't log passwords in paramater hash to [XPATCH] Don't log passwords in paramater hash.

While the intentions are good, this is too magical and too business logic-like to fit a core extension to Hash. This needs to be move into Action Controller and a note needs to be added when the password is removed. But even then, it's a bit iffy. Hmm.

Perhaps this would work better as an extention to Logger where you could add a rule on what should be stripped out? So you could do something like: 

  Logger.filter(/"password" => (.*),/, '"password" => [REMOVED FOR SECURITY REASONS]')

I think that would be a better way to do it. But I wonder if it can be done in a performant way.

09/13/05 15:14:51 changed by jeremye@bsa.ca.gov

  • attachment filter_logged_params.diff added.

Easy and configurable param logging filter

09/13/05 16:20:02 changed by jeremye@bsa.ca.gov

  • summary changed from [XPATCH] Don't log passwords in paramater hash to [PATCH] Filter logging of parameter hash.

I've uploaded a patch which adds an easy and fairly configurable paramater logging filter. It takes arguments which match on parameter key substrings, as well as a block for complete control. This route is more reliable than the Logger.filter regular expression and it gives the user more control.

Hopefully this feature is general enough that it can be included into Rails. Filtering sensitive data from logs seems like something that many Rails apps could benefit from.

09/14/05 10:27:37 changed by jeremye@bsa.ca.gov

  • attachment filter_logged_params_v2.diff added.

Fixes problems with replacing strings using a block, doesn't pass hash values to the block.

09/15/05 17:23:41 changed by jeremye@bsa.ca.gov

  • attachment filter_logged_params_v3.diff added.

Fix when no block is provided, add tests

10/26/05 13:35:53 changed by david

This looks pretty cool.. Is there a reason we wouldn't want to implement this straight on the logger instead of only on the controller? That way SQL statements could be vetted too.

10/26/05 14:20:14 changed by jeremye@bsa.ca.gov

The logger gets passed a string, so you would be forced to rely on regular expressions to filter, which is less flexible and possibly error prone. Because of quote escaping inside parameter keys and values, it don't think it is possible to filter the parameter hash correctly without regular expression support for negative look behind (think quotes inside parameter keys and values). So you'd need to require Oniguruma, which I don't feel is acceptable.

I think that filtering the parameter hash before passing it to the logger is the safest and most flexible way. For the high security environments that this patch is aimed at, SQL logging should be turned off in production anyway.

11/03/05 23:23:29 changed by anonymous

  • priority changed from normal to highest.
  • milestone set to 1.x.

11/03/05 23:53:53 changed by anonymous

  • severity changed from normal to major.

11/04/05 00:33:43 changed by anonymous

  • priority changed from highest to normal.
  • severity changed from major to normal.
  • milestone deleted.

04/07/06 22:26:55 changed by david

  • status changed from new to closed.
  • resolution set to fixed.

Closed by [4200].