[英]Rails: Filter sensitive data in JSON parameter from logs
I am running Rails 3 and trying to filter sensitive information out of our logs which are JSON blobs that are passed as post parameters. 我正在运行Rails 3并尝试从我们的日志中过滤敏感信息,这些日志是作为post参数传递的JSON blob。 For example, user creation might take a post param called
user
with a string value that is a JSON object. 例如,用户创建可能会使用一个名为
user
的post param,其字符串值是JSON对象。 One of the keys in the JSON object is password
and we want to filter this out of our logs. JSON对象中的一个键是
password
,我们希望从日志中过滤掉它。 The best way I found to do this was to add a block to our filter_params, like so: 我发现这样做的最好方法是在filter_params中添加一个块,如下所示:
keys_to_filter = ['password', 'password_confirmation']
config.filter_parameters << lambda do |k,v|
if v.is_a? String
keys_to_filter.each do |key|
# Match "key":"<filter_out>", or "key":"<filter_out>"}, allowing for whitespace
v.sub!(/("\s*#{key}\s*")\s*:\s*"[^,\}]*"\s*([,\}])/, "\\1:\"[FILTERED]\"\\2")
end
end
end
This adds a block to the filter_params, which causes an error which is described in another question: Rails: ParameterFilter::compiled_filter tries to dup symbol 这会向filter_params添加一个块,这会导致另一个问题中描述的错误: Rails:ParameterFilter :: compiled_filter尝试重复符号
It appears that it is not safe to pass a block to filter_parameters, so I'm wondering if there is another way to solve this problem. 将块传递给filter_parameters似乎是不安全的,所以我想知道是否有另一种方法可以解决这个问题。
Why is @Nesbitt's answer downvoted (down below)? 为什么@ Nesbitt的答案被低估了(下面)? Sure, it references code in a test suite, but that test suite is just testing a feature documented in ActionDispatch::Http::FilterParameters:
当然,它引用了测试套件中的代码,但该测试套件只是测试ActionDispatch :: Http :: FilterParameters中记录的功能:
If a block is given, each key and value of the params hash and all subhashes is passed to it, the value or key can be replaced using String#replace or similar method.
如果给出了一个块,则将params散列和所有子散列的每个键和值传递给它,可以使用String#replace或类似方法替换值或键。
See comments in the API docs for Rails 3.x here . 请在此处查看Rails 3.x的API文档中的注释。
I needed to do the same thing: transform a field in a JSON blob that was sent with an HTTP POST to a Rails 3 app. 我需要做同样的事情:将使用HTTP POST发送的JSON blob中的字段转换为Rails 3应用程序。 In my case I just wanted to include a hashed digest of a field, so in config/application.rb:
在我的例子中,我只想包含一个字段的散列摘要,所以在config / application.rb中:
config.filter_parameters += [:password, lambda {|key, value|
if key.to_s == 'my_key'
value.replace(calculate_my_hash(value))
end
}]
There is an example of passing a block to filter_parameters
in the Rails test suite : 在Rails测试套件中有一个将块传递给
filter_parameters
的示例:
config.filter_parameters += [ :foo, 'bar', lambda { |key, value|
value = value.reverse if key =~ /baz/
}]
I'm developing a Rails 3 app, and using Backbone.js. 我正在开发一个Rails 3应用程序,并使用Backbone.js。 I'm passing JSON objects when I create or update a record.
我在创建或更新记录时传递JSON对象。 I overrode my Backbone model's toJSON function and hardcoded a password param just to test your issue.
我覆盖了我的Backbone模型的toJSON函数并硬编码密码参数只是为了测试你的问题。 In my case, config.filter_parameters is just [:password], and it filters the password param correctly in the logs.
在我的例子中,config.filter_parameters只是[:password],它在日志中正确过滤密码参数。 At first I tested this in update which submits a PUT request.
起初我在更新中对此进行了测试,提交了PUT请求。 I then tested this in create with a POST request just to check if there's any special bug when submitting a POST.
然后,我在创建时使用POST请求对此进行测试,以检查提交POST时是否存在任何特殊错误。 Password is still filtered correctly.
密码仍然正确过滤。 Am I missing something?
我错过了什么吗?
It looks like config.filter_parameters works correctly without needing to pass a block. 看起来config.filter_parameters正常工作而无需传递块。
I have dealt with the same issue in our application. 我在申请中处理了同样的问题。 I ended up blocking the entire JSON string from logging where there was secure data, and then adding explicit loggers for any information I wanted logged.
我最终阻止整个JSON字符串记录有安全数据的位置,然后为我想记录的任何信息添加显式记录器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.