Rails:从日志中过滤JSON参数中的敏感数据
[英]Rails: Filter sensitive data in JSON parameter from logs
问题描述
I am running Rails 3 and trying to filter sensitive information out of our logs which are JSON blobs that are passed as post parameters. 
我正在运行Rails 3并尝试从我们的日志中过滤敏感信息,这些日志是作为post参数传递的JSON blob。 For example, user creation might take a post param called user with a string value that is a JSON object. 例如,用户创建可能会使用一个名为user的post param,其字符串值是JSON对象。 One of the keys in the JSON object is password and we want to filter this out of our logs. JSON对象中的一个键是password ,我们希望从日志中过滤掉它。 The best way I found to do this was to add a block to our filter_params, like so: 我发现这样做的最好方法是在filter_params中添加一个块,如下所示:
keys_to_filter = ['password', 'password_confirmation']
config.filter_parameters << lambda do |k,v|
if v.is_a? String
keys_to_filter.each do |key|
# Match "key":"<filter_out>", or "key":"<filter_out>"}, allowing for whitespace
v.sub!(/("\s*#{key}\s*")\s*:\s*"[^,\}]*"\s*([,\}])/, "\\1:\"[FILTERED]\"\\2")
end
end
end
This adds a block to the filter_params, which causes an error which is described in another question: Rails: ParameterFilter::compiled_filter tries to dup symbol 这会向filter_params添加一个块,这会导致另一个问题中描述的错误: Rails:ParameterFilter :: compiled_filter尝试重复符号
It appears that it is not safe to pass a block to filter_parameters, so I'm wondering if there is another way to solve this problem. 将块传递给filter_parameters似乎是不安全的,所以我想知道是否有另一种方法可以解决这个问题。
4 个解决方案
解决方案1
2 2016-04-07 17:48:32
Why is @Nesbitt's answer downvoted (down below)? 为什么@ Nesbitt的答案被低估了(下面)? Sure, it references code in a test suite, but that test suite is just testing a feature documented in ActionDispatch::Http::FilterParameters: 当然,它引用了测试套件中的代码,但该测试套件只是测试ActionDispatch :: Http :: FilterParameters中记录的功能:
If a block is given, each key and value of the params hash and all subhashes is passed to it, the value or key can be replaced using String#replace or similar method.
See comments in the API docs for Rails 3.x here . 请在此处查看Rails 3.x的API文档中的注释。
I needed to do the same thing: transform a field in a JSON blob that was sent with an HTTP POST to a Rails 3 app. 我需要做同样的事情:将使用HTTP POST发送的JSON blob中的字段转换为Rails 3应用程序。 In my case I just wanted to include a hashed digest of a field, so in config/application.rb: 在我的例子中,我只想包含一个字段的散列摘要,所以在config / application.rb中:
config.filter_parameters += [:password, lambda {|key, value|
if key.to_s == 'my_key'
value.replace(calculate_my_hash(value))
end
}]
解决方案2
1 2011-06-03 18:22:28
There is an example of passing a block to filter_parameters in the Rails test suite : 在Rails测试套件中有一个将块传递给filter_parameters的示例:
config.filter_parameters += [ :foo, 'bar', lambda { |key, value|
value = value.reverse if key =~ /baz/
}]
解决方案3
1 2011-07-21 09:12:11
I'm developing a Rails 3 app, and using Backbone.js. 我正在开发一个Rails 3应用程序,并使用Backbone.js。 I'm passing JSON objects when I create or update a record. 我在创建或更新记录时传递JSON对象。 I overrode my Backbone model's toJSON function and hardcoded a password param just to test your issue. 我覆盖了我的Backbone模型的toJSON函数并硬编码密码参数只是为了测试你的问题。 In my case, config.filter_parameters is just [:password], and it filters the password param correctly in the logs. 在我的例子中,config.filter_parameters只是[:password],它在日志中正确过滤密码参数。 At first I tested this in update which submits a PUT request. 起初我在更新中对此进行了测试,提交了PUT请求。 I then tested this in create with a POST request just to check if there's any special bug when submitting a POST. 然后,我在创建时使用POST请求对此进行测试,以检查提交POST时是否存在任何特殊错误。 Password is still filtered correctly. 密码仍然正确过滤。 Am I missing something? 我错过了什么吗?
It looks like config.filter_parameters works correctly without needing to pass a block. 看起来config.filter_parameters正常工作而无需传递块。
解决方案4
0 2011-07-14 18:04:14
I have dealt with the same issue in our application. 我在申请中处理了同样的问题。 I ended up blocking the entire JSON string from logging where there was secure data, and then adding explicit loggers for any information I wanted logged. 我最终阻止整个JSON字符串记录有安全数据的位置,然后为我想记录的任何信息添加显式记录器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.