Rails:从日志中过滤 JSON 参数中的敏感数据

发布于 2024-10-21 11:52:48 字数 854 浏览 6 评论 0原文

我正在运行 Rails 3 并尝试从日志中过滤出敏感信息,这些信息是作为 post 参数传递的 JSON blob。例如,用户创建可能需要一个名为 user 的 post 参数,其字符串值是 JSON 对象。 JSON 对象中的键之一是 password,我们希望将其从日志中过滤掉。我发现做到这一点的最好方法是向我们的filter_params添加一个块,如下所示:

keys_to_filter = ['password', 'password_confirmation']
config.filter_parameters << lambda do |k,v|
  if v.is_a? String
    keys_to_filter.each do |key|
      # Match "key":"<filter_out>", or "key":"<filter_out>"}, allowing for whitespace
      v.sub!(/("\s*#{key}\s*")\s*:\s*"[^,\}]*"\s*([,\}])/, "\\1:\"[FILTERED]\"\\2")
    end
  end
end

这向filter_params添加一个块,这会导致另一个问题中描述的错误: com/questions/5265431/rails-parameterfiltercompiled-filter-tries-to-dup-symbol">Rails: ParameterFilter::compiled_filter attempts to dup symbol

看来将块传递给filter_parameters并不安全,所以我想知道是否还有其他方法可以解决这个问题。

I am running Rails 3 and trying to filter sensitive information out of our logs which are JSON blobs that are passed as post parameters. For example, user creation might take a post param called user with a string value that is a JSON object. One of the keys in the JSON object is password and we want to filter this out of our logs. The best way I found to do this was to add a block to our filter_params, like so:

keys_to_filter = ['password', 'password_confirmation']
config.filter_parameters << lambda do |k,v|
  if v.is_a? String
    keys_to_filter.each do |key|
      # Match "key":"<filter_out>", or "key":"<filter_out>"}, allowing for whitespace
      v.sub!(/("\s*#{key}\s*")\s*:\s*"[^,\}]*"\s*([,\}])/, "\\1:\"[FILTERED]\"\\2")
    end
  end
end

This adds a block to the filter_params, which causes an error which is described in another question: Rails: ParameterFilter::compiled_filter tries to dup symbol

It appears that it is not safe to pass a block to filter_parameters, so I'm wondering if there is another way to solve this problem.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

一人独醉 2024-10-28 11:52:48

Rails 测试套件

config.filter_parameters += [ :foo, 'bar', lambda { |key, value|
  value = value.reverse if key =~ /baz/
 }]

There is an example of passing a block to filter_parameters in the Rails test suite:

config.filter_parameters += [ :foo, 'bar', lambda { |key, value|
  value = value.reverse if key =~ /baz/
 }]
伴我老 2024-10-28 11:52:48

为什么@Nesbitt 的答案被否决(在下面)?当然,它引用了测试套件中的代码,但该测试套件只是测试 ActionDispatch::Http::FilterParameters 中记录的功能:

如果给定了一个块,则将 params 哈希和所有子哈希的每个键和值传递给它,可以使用 String#replace 或类似方法替换该值或键。

请参阅 Rails 3.x API 文档中的注释此处

我需要做同样的事情:转换通过 HTTP POST 发送到 Rails 3 应用程序的 JSON blob 中的字段。就我而言,我只想包含字段的哈希摘要,因此在 config/application.rb 中:

config.filter_parameters += [:password, lambda {|key, value|
  if key.to_s == 'my_key'
    value.replace(calculate_my_hash(value))
  end
}]

Why is @Nesbitt's answer downvoted (down below)? Sure, it references code in a test suite, but that test suite is just testing a feature documented in ActionDispatch::Http::FilterParameters:

If a block is given, each key and value of the params hash and all subhashes is passed to it, the value or key can be replaced using String#replace or similar method.

See comments in the API docs for Rails 3.x here.

I needed to do the same thing: transform a field in a JSON blob that was sent with an HTTP POST to a Rails 3 app. In my case I just wanted to include a hashed digest of a field, so in config/application.rb:

config.filter_parameters += [:password, lambda {|key, value|
  if key.to_s == 'my_key'
    value.replace(calculate_my_hash(value))
  end
}]
雨夜星沙 2024-10-28 11:52:48

我正在开发一个 Rails 3 应用程序,并使用 Backbone.js。我在创建或更新记录时传递 JSON 对象。我重写了 Backbone 模型的 toJSON 函数并硬编码了密码参数只是为了测试您的问题。就我而言,config.filter_parameters 只是 [:password],它会在日志中正确过滤密码参数。起初我在提交 PUT 请求的 update 中对此进行了测试。然后我在 create 中使用 POST 请求进行了测试,只是为了检查提交 POST 时是否存在任何特殊错误。密码仍然被正确过滤。我错过了什么吗?

看起来 config.filter_parameters 可以正常工作,无需传递块。

I'm developing a Rails 3 app, and using Backbone.js. I'm passing JSON objects when I create or update a record. I overrode my Backbone model's toJSON function and hardcoded a password param just to test your issue. In my case, config.filter_parameters is just [:password], and it filters the password param correctly in the logs. At first I tested this in update which submits a PUT request. I then tested this in create with a POST request just to check if there's any special bug when submitting a POST. Password is still filtered correctly. Am I missing something?

It looks like config.filter_parameters works correctly without needing to pass a block.

断念 2024-10-28 11:52:48

我在我们的应用程序中处理了同样的问题。我最终阻止了整个 JSON 字符串记录存在安全数据的地方,然后为我想要记录的任何信息添加显式记录器。

I have dealt with the same issue in our application. I ended up blocking the entire JSON string from logging where there was secure data, and then adding explicit loggers for any information I wanted logged.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文