Friday, February 24, 2012

Rails Parameter Filters

Secure programming 101 dictates that you should never write sensitive information to log files, and Rails makes this easy by allowing you to specify a list of sensitive fields in the filter_parameters property of your application configuration object (defined in the config/application.rb file). It's even nice enough to give you a sensible default (:password).

I got tripped up by this a couple days ago when a non-sensitive parameter that I didn't want to get filtered out of my logs was getting caught by the filter. I struggled with this for a while until I found the code responsible for the filtering, which clearly states in its comments that it filters out any parameter whose name matches the regular expression /<filter_param>/i. In other words, any parameter that contains one of your filter parameter strings will get filtered. It doesn't even have to be in the same case. Here's some example code demonstrating what's going on

The other thing I discovered is that other code that you include in your project (i.e. gems) can modify the list of filter parameters. For example, the clearance gem adds :token and :password to the filter parameters. To get the definitive list of all of the filter parameters in your application, launch the rails console and inspect the value of <ProjectName>::Application.config.filter_parameters.

No comments: